Critical DoS Vulnerability in node-forge 1.3.2: Infinite Loop in BigInteger.modInverse()

A high-severity Denial of Service (DoS) vulnerability has been patched in the widely used cryptographic library node-forge. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function inherited from the bundled jsbn library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. This creates a straightforward path for attackers to crash or paralyze dependent applications.

The vulnerability was reported by researcher Kr0emer and has been addressed in node-forge version 1.4.0, released on March 24, 2026. The library is a core dependency for many Node.js applications, particularly in frontend build tools and backend services handling cryptography, TLS, or X.509 certificates. The security advisory from Digital Bazaar, the library's maintainer, classifies the issue as HIGH severity, underscoring its potential for immediate operational disruption.

This update is not a routine patch but a mandatory security fix. Any project using node-forge versions prior to 1.4.0 in its frontend or backend toolchain is exposed to this DoS risk. The GitHub issue demonstrates an automated dependency bump, a common but critical maintenance task that now carries significant security weight. Failure to apply this patch leaves applications vulnerable to a simple, resource-exhaustion attack that could degrade service availability or lead to complete system unresponsiveness.