node-forge 1.4.0 Patches Critical DoS Flaw (CVE-2026-33891) in jsbn Library

A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function inherited from the bundled `jsbn` library. When called with a zero value as input, the function's internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely while consuming 100% CPU resources.

The vulnerability was reported by a researcher known as Kr0emer and is addressed in the newly released `node-forge` version 1.4.0. The previous version, 1.3.3, is affected. The update is categorized as a "HIGH" severity security fix. `node-forge` is a fundamental library for implementing cryptographic functions in JavaScript and Node.js environments, making it a critical dependency for countless applications in the npm and Yarn ecosystems.

This patch underscores the persistent security risks within foundational open-source dependencies, particularly those handling cryptographic operations. The specific trigger—a zero input to a modular inverse function—highlights how seemingly minor edge cases can be exploited to cripple application performance. Developers and security teams managing projects that depend on `node-forge` must prioritize this update to mitigate the risk of service disruption and resource exhaustion attacks.