Critical DoS Flaw in Node-Forge Library (CVE-2026-33891) Prompts Urgent Update to v1.4.0

A high-severity Denial of Service (DoS) vulnerability has been patched in the widely used `node-forge` cryptography library, forcing projects to urgently update to version 1.4.0. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function inherited from the bundled jsbn library. When this function is called with a zero value as input, it triggers an infinite loop, causing the Node.js process to hang indefinitely and consume 100% CPU. This creates a straightforward vector for resource exhaustion attacks against any application or service relying on the vulnerable library.

The vulnerability was reported by a researcher known as Kr0emer and has been assigned a HIGH severity rating by the maintainers, Digital Bazaar. The issue is specific to the `modInverse()` method, a core mathematical operation used in various cryptographic protocols. The patch in version 1.4.0 resolves the unreachable exit condition in the Extended Euclidean Algorithm, preventing the infinite loop. The changelog explicitly lists this as a security fix, indicating the seriousness with which the maintainers treat the report.

The `node-forge` library is a fundamental component for TLS, PKI, and other cryptographic operations in the Node.js ecosystem, embedded in countless development tools, documentation generators, and backend services. Its presence in a `/docs` directory, as seen in the source pull request, highlights how even ancillary project dependencies can introduce critical security risks. Organizations and developers must immediately audit their dependency trees for `node-forge` versions prior to 1.4.0 to mitigate the risk of service disruption. Failure to patch leaves systems vulnerable to a simple, low-effort attack that could cripple application availability.