Critical DoS Flaw in node-forge (CVE-2026-33891) Prompts Urgent Update to v1.4.0

A high-severity Denial of Service vulnerability has been patched in the widely-used node-forge cryptography library, forcing developers to urgently update to version 1.4.0. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function inherited from the bundled jsbn library. When this function is called with a zero value as input, it triggers an infinite loop in the Extended Euclidean Algorithm, causing the Node.js process to hang indefinitely and consume 100% of CPU resources. This creates a straightforward vector for service disruption in any application relying on the affected cryptographic operations.

The vulnerability was reported by a researcher known as Kr0emer and has been formally disclosed by the maintainers, Digital Bazaar, via a GitHub Security Advisory (GHSA). The fix is contained in the 1.4.0 release, published on March 24, 2026. The changelog explicitly classifies the issue as a HIGH severity security risk. The patch resolves the unreachable exit condition that caused the infinite loop, restoring normal function to the modular inverse calculation.

This update is critical for any project using node-forge for tasks like TLS/SSL, digital signatures, or certificate generation. The library is a foundational dependency for many Node.js tools and backend services. Failure to apply this patch leaves applications vulnerable to a simple, low-effort attack that can cripple server performance. Dependency management automation, such as Dependabot, is already generating pull requests to bump the version from 1.3.1 to 1.4.0, as seen in active repositories. This incident underscores the persistent security risks hidden within nested dependencies and the importance of prompt updates for cryptographic components.