node-forge Patches Critical DoS Vulnerability in BigInteger.modInverse() — CVE-2026-33891

The node-forge JavaScript cryptography library has released version 1.4.0, patching a high-severity Denial of Service vulnerability (CVE-2026-33891) in its BigInteger.modInverse() function. The flaw, discovered by researcher Kr0emer, stems from an infinite loop triggered when modInverse() receives a zero value as input. The internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% of CPU resources.

The vulnerability is inherited from the bundled jsbn (JavaScript Big Number) library, which node-forge has historically relied upon for cryptographic arithmetic operations. The flaw affects any application that calls modInverse() with untrusted input, creating a potential remote DoS vector depending on implementation context. GitHub's advisory database (GHSA) has catalogued the issue alongside the CVE, signaling elevated risk for projects depending on node-forge for TLS, encryption, or signing operations in production environments.

The patch, merged under the commit "Bump node-forge from 1.3.1 to 1.4.0," is the sole remediation path. Downstream projects are advised to audit their use of modInverse() and update immediately. While the immediate impact is limited to DoS conditions rather than data exfiltration, the severity rating and ubiquity of node-forge in Node.js ecosystems warrant prompt attention. The changelog confirms no other changes in 1.4.0 beyond this security fix, narrowing the scope for regression testing.