Node-Forge 1.4.0 Patches Critical DoS Flaw in `BigInteger.modInverse()` (CVE-2026-33891)

A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled `jsbn` library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition. This triggers an infinite loop, causing the Node.js process to hang indefinitely and consume 100% CPU resources, rendering applications unresponsive.

The vulnerability, rated HIGH severity, was reported by a researcher known as Kr0emer. The issue is addressed in the newly released `node-forge` version 1.4.0. The changelog explicitly warns developers of the security risk, highlighting the potential for complete service disruption if the vulnerable function is exploited. This is not a theoretical risk; any application or service that processes specific cryptographic operations using the affected library version (1.3.2 and prior) is exposed to this attack vector.

This patch is a mandatory update for any project with a dependency on `node-forge`. The library is a foundational component for TLS, X.509 certificates, and other cryptographic operations in the Node.js ecosystem, making its security critical. Failure to upgrade leaves countless web servers, APIs, and backend services vulnerable to a simple, low-effort attack that could cause widespread outages. The fix in version 1.4.0 resolves the infinite loop, restoring normal function and closing the DoS vector.