Node-Forge 1.4.0 Patches Critical DoS Flaw in `BigInteger.modInverse()` (CVE-2026-33891)

The node-forge cryptography library has released version 1.4.0 to patch a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled jsbn library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% of CPU resources. This creates a straightforward vector for resource exhaustion attacks against any application or service that uses the vulnerable library.

The vulnerability was reported by a researcher known as Kr0emer and has been formally disclosed via GitHub Security Advisory GHSA-xxxx. The node-forge library is a foundational JavaScript toolkit for cryptographic operations, widely used in web applications, Node.js servers, and development tools for tasks like TLS, X.509 certificates, and SSH key generation. Its integration into countless dependency chains means the security patch has broad implications across the software ecosystem.

This update is a mandatory security fix. Developers and security teams must prioritize upgrading to node-forge 1.4.0 or later. The patch highlights the persistent risk of inherited vulnerabilities in bundled dependencies and underscores the need for proactive dependency management. Failure to apply this update leaves systems vulnerable to a simple, low-effort attack that can cripple application availability by triggering an infinite loop.