node-forge Cryptographic Library Patches High-Severity DoS Vulnerability in BigInteger.modInverse()

A high-severity denial-of-service vulnerability has been patched in node-forge, a widely-deployed JavaScript cryptographic library maintained by Digital Bazaar. The flaw, tracked as CVE-2026-33891, exists in the `BigInteger.modInverse()` function—a component inherited from the bundled jsbn library. When this function receives a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, triggering an infinite loop that causes the process to hang and consume 100% CPU resources indefinitely.

The vulnerability was identified and reported by researcher Kr0emer. According to the changelog for version 1.4.0, the issue affects all node-forge versions prior to the patch. The library serves as a foundational dependency for numerous JavaScript applications requiring cryptographic operations, making the exposure structurally significant for any project relying on its functionality.

Organizations and developers using node-forge in production environments should verify whether their implementations directly or transitively invoke `BigInteger.modInverse()` with user-controlled input. The risk of exploitation lies in an unauthenticated actor triggering the infinite loop, potentially degrading service availability or consuming compute resources at scale. Immediate upgrading to version 1.4.0 is recommended, alongside code audits to identify and sanitize any zero-value inputs passed to affected functions. The GitHub Security Advisory GHSA reference has been published to facilitate coordinated disclosure and remediation across the ecosystem.