Node-Forge 1.4.0 Patches Critical DoS Flaw (CVE-2026-33891) in `BigInteger.modInverse()`

A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled `jsbn` library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely and consume 100% of CPU resources.

The vulnerability, rated HIGH severity, was reported by a researcher known as Kr0emer. The issue is addressed in the newly released version 1.4.0 of `node-forge`. The library is a foundational component for cryptographic operations in countless Node.js applications, making this patch a critical dependency update for developers and security teams.

This update underscores the persistent risk of supply chain attacks targeting core, low-level libraries. Organizations relying on `node-forge` for TLS, SSH, or other cryptographic functions must prioritize upgrading to version 1.4.0 to mitigate the risk of application instability and resource exhaustion attacks. The fix highlights the ongoing scrutiny of bundled dependencies and the importance of proactive vulnerability management in the open-source software ecosystem.