node-forge 1.4.0 Patches HIGH Severity DoS Vulnerability CVE-2026-33891 in BigInteger.modInverse()

A high-severity denial-of-service vulnerability has been disclosed in node-forge, a widely-used JavaScript cryptographic library maintained by DigitalBazaar. The flaw, tracked as CVE-2026-33891, enables attackers to trigger an infinite loop in the `BigInteger.modInverse()` function, causing affected processes to hang indefinitely while consuming 100% CPU. The vulnerability was reported by security researcher Kr0emer and patched in version 1.4.0, released on March 24, 2026.

The vulnerability stems from the bundled jsbn library, which implements the Extended Euclidean Algorithm for modular inverse calculations. When `modInverse()` receives a zero value as input, the algorithm enters an unreachable exit condition, causing the process to spin endlessly. This creates a straightforward attack vector for any application that processes untrusted input through this cryptographic function. The GitHub Security Advisory (GHSA) entry provides additional technical context for affected developers.

Node-forge is embedded in countless JavaScript and Node.js applications handling cryptographic operations, including TLS implementations, certificate management, and secure messaging systems. Any service that exposes the vulnerable function to user-controlled input faces potential exploitation, making this a significant concern for backend infrastructure and API endpoints. Organizations running dependent applications should prioritize upgrading to version 1.4.0 and audit code paths that may pass untrusted data to `BigInteger.modInverse()`. The vulnerability underscores the persistent risks inherited from bundled cryptographic dependencies, even in mature, widely-trusted libraries.