Node-Forge 1.4.0 Patches Critical DoS Flaw (CVE-2026-33891) in `BigInteger.modInverse()`

A critical Denial of Service vulnerability in the widely-used `node-forge` cryptography library has been patched in version 1.4.0. The flaw, rated HIGH severity, resides in the `BigInteger.modInverse()` function inherited from the bundled jsbn library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely and consume 100% CPU resources. This creates a straightforward vector for resource exhaustion attacks against any application or service that uses the vulnerable library for cryptographic operations.

The vulnerability, tracked as CVE-2026-33891 and GHSA-xxxx-xxxx-xxxx, was reported by researcher Kr0emer. The `node-forge` library is a fundamental JavaScript implementation of cryptographic tools for TLS, X.509 certificates, and other utilities in the Node.js ecosystem. Its widespread adoption means this DoS flaw poses a significant risk to countless web servers, APIs, and backend services that depend on it for secure communications.

All users of `node-forge` versions prior to 1.4.0 are urged to upgrade immediately to mitigate the risk of service disruption. The patch specifically addresses the infinite loop condition. Given the library's critical role in security infrastructure, this update should be treated as a high-priority operational task for development and security teams to prevent potential availability attacks that could be triggered by malicious or malformed inputs.