Node-Forge 1.4.0 Patches Critical DoS Flaw (CVE-2026-33891) in `BigInteger.modInverse()`

A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled `jsbn` library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely and consume 100% CPU resources.

The vulnerability, rated HIGH severity, was reported by a researcher known as Kr0emer. The issue is addressed in the newly released version 1.4.0 of `node-forge`. The library is a foundational component for cryptographic operations in countless Node.js applications, including those handling TLS, SSH, and digital signatures. The silent, resource-exhausting nature of the bug makes it a potent vector for disrupting service availability without triggering typical crash logs.

This patch triggers a mandatory dependency update across the JavaScript ecosystem. Developers and security teams must prioritize upgrading to `[email protected]` to mitigate the risk of application instability and targeted DoS attacks. The fix highlights the persistent security challenges within deeply nested dependencies, especially in core cryptographic primitives where algorithmic edge cases can have outsized operational impact.