Node-Forge 1.4.0 Patches Critical DoS Flaw in Widely Used Crypto Library

A critical security vulnerability in the widely used `node-forge` cryptographic library has been patched, exposing countless Node.js applications to potential denial-of-service attacks. The flaw, rated HIGH severity, resides in the `BigInteger.modInverse()` function, which can be triggered to send a process into an infinite loop, consuming 100% CPU and hanging indefinitely. This vulnerability, inherited from the bundled `jsbn` library, creates a direct path for attackers to crash or degrade the performance of any service relying on this foundational package for TLS, SSH, or other cryptographic operations.

The specific trigger is calling `modInverse()` with a zero value as input, causing the internal Extended Euclidean Algorithm to hit an unreachable exit condition. The issue, tracked as CVE-2026-33891 and GHSA-..., was reported by researcher Kr0emer. The patch was released in version 1.4.0 of `node-forge`, which bumps the dependency from the vulnerable 1.3.2. The changelog explicitly highlights the security fix, underscoring its urgency for the maintainers.

Given `node-forge`'s role as a core dependency for TLS/SSL implementation in Node.js environments—often used indirectly by major web frameworks and tools—the patch rollout pressure is significant. Development teams worldwide must now prioritize this dependency update to mitigate the risk of service disruption. The silent, resource-exhaustion nature of the attack makes it a potent threat for applications processing untrusted input, where a single malformed request could cripple a server.