Node-Forge 1.4.0 Patches Critical DoS Flaw in `BigInteger.modInverse()` (CVE-2026-33891)

The node-forge cryptography library has released version 1.4.0 to patch a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled jsbn library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. This creates a straightforward vector for resource exhaustion attacks against any application or service that uses the vulnerable library.

The vulnerability was reported by a researcher known as Kr0emer and is detailed in a GitHub Security Advisory (GHSA). The node-forge library is a widely used JavaScript implementation of cryptographic tools for Node.js and browsers, making this patch critical for a vast ecosystem of web applications, APIs, and backend services. The update from version 1.3.2 to 1.4.0 is the only mitigation for this specific infinite loop flaw.

This security fix underscores the persistent risk posed by inherited or bundled dependencies in core cryptographic modules. Developers and security teams must prioritize updating their dependencies, as unpatched instances could be exploited to cripple application performance and availability. The high-severity rating and the specific CPU exhaustion mechanism make this a pressing operational security issue for any deployment relying on node-forge for TLS, SSH, or other cryptographic operations.