Node-Forge 1.4.0 Patches Critical DoS Flaw in `BigInteger.modInverse()` (CVE-2026-33891)

The node-forge cryptography library has released version 1.4.0 to patch a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled jsbn library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely and consume 100% CPU resources. This creates a straightforward vector for resource exhaustion attacks.

The vulnerability was reported by a researcher known as Kr0emer and has been assigned a HIGH severity rating by the maintainers. The node-forge library is a foundational tool for cryptographic operations in JavaScript and is widely used across the npm ecosystem. The specific function at risk is critical for computing modular inverses, a common operation in public-key cryptography implementations, including RSA key generation and certain signature schemes.

This patch is a critical security update for any project or service that depends on node-forge. Developers are urged to immediately upgrade from version 1.3.2 or earlier to version 1.4.0 to mitigate the risk of service disruption. The advisory underscores the persistent security challenges in widely adopted cryptographic dependencies and the cascading impact a single bug can have on the stability of countless applications.