Node-Forge 1.4.0 Patches Critical DoS Flaw (CVE-2026-33891) in `BigInteger.modInverse()`

A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function. When this function is called with a zero value as input, it triggers an infinite loop in the underlying Extended Euclidean Algorithm, causing the Node.js process to hang indefinitely and consume 100% of CPU resources. This vulnerability was inherited from the library's bundled `jsbn` dependency.

The issue, reported by a researcher known as Kr0emer, was addressed in the newly released version 1.4.0 of `node-forge`. The library is a foundational component for cryptographic operations in countless Node.js applications, including those handling TLS, SSH, and digital signatures. The vulnerability's severity is classified as HIGH, indicating a significant risk to application availability and stability.

This patch is a mandatory update for any project relying on `node-forge`. The vulnerability presents a clear vector for resource exhaustion attacks, where a malicious actor could crash or severely degrade the performance of a service by sending crafted inputs that trigger the infinite loop. Developers must immediately upgrade their dependencies from version 1.3.2 or earlier to 1.4.0 to mitigate this risk and prevent potential service disruptions.