Node-Forge 1.4.0 Patches Critical DoS Flaw (CVE-2026-33891) in `BigInteger.modInverse()`

A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled `jsbn` library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely and consume 100% of CPU resources.

The vulnerability, rated as HIGH severity, was reported by a researcher known as Kr0emer. The issue is addressed in the newly released version 1.4.0 of `node-forge`. The library is a fundamental component for cryptographic operations in the Node.js ecosystem, used by thousands of projects for tasks like TLS, SSH, and digital signatures. Its integration into build scripts, hosting tools, and application dependencies makes this patch a high-priority update for development and security teams.

This patch is a mandatory security fix for any project using `node-forge` versions prior to 1.4.0. The advisory, published under GHSA, signals immediate action is required to prevent potential service disruption. Developers must update their dependencies, particularly in automated deployment and hosting pipelines—like the `/scripts/examples/hosting/update-single-file` path referenced in the source—where such a hang could cripple critical infrastructure. Failure to apply this update leaves systems vulnerable to a trivial attack vector that can cause complete resource exhaustion.