Node-Forge 1.4.0 Patches Critical DoS Flaw (CVE-2026-33891) in `BigInteger.modInverse()`

A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function. When this function is called with a zero value as input, it triggers an infinite loop in the underlying Extended Euclidean Algorithm, causing the Node.js process to hang indefinitely and consume 100% CPU resources. This vulnerability was inherited from the bundled `jsbn` library and was reported by a researcher known as Kr0emer.

The patch is delivered in version 1.4.0 of `node-forge`, released on March 24, 2026. The library, maintained by Digital Bazaar, is a fundamental component for cryptographic operations—including TLS, X.509 certificates, and PKI—in countless Node.js applications and dependencies. The vulnerability's severity is classified as HIGH, indicating a significant risk of service disruption for any application that processes untrusted input through the affected function.

This update signals immediate pressure on development and security teams to audit their dependency trees and upgrade. Given `node-forge`'s deep integration into the npm ecosystem, the potential attack surface is substantial. Unpatched systems risk complete unresponsiveness if an attacker can supply a zero value to the vulnerable function, making this a priority fix for maintaining application availability and security posture.