node-forge 1.4.0 Patches High-Severity DoS Vulnerability CVE-2026-33891

A high-severity denial of service vulnerability has been patched in node-forge version 1.4.0, addressing a critical flaw that could allow attackers to freeze affected systems. The vulnerability, tracked as CVE-2026-33891, exploits an infinite loop condition in the `BigInteger.modInverse()` function, causing processes to hang indefinitely while consuming 100% CPU resources. Security researcher Kr0emer reported the issue, which stems from the bundled jsbn library's implementation of the Extended Euclidean Algorithm.

The technical root of the vulnerability lies in how the `modInverse()` function handles edge cases. When called with a zero value as input, the function's internal Extended Euclidean Algorithm enters an unreachable exit condition, creating an infinite loop with no escape path. This design flaw transforms a simple function call into a system-freezing attack vector. The vulnerability affects any application or service that processes user-controlled input through the `BigInteger.modInverse()` method without prior validation, making it particularly dangerous for cryptographic operations and authentication systems that rely on node-forge's mathematical utilities.

The release of node-forge 1.4.0 provides the fix for this vulnerability, and developers maintaining projects that depend on node-forge should prioritize updating to the latest version. The library is widely used in JavaScript and Node.js ecosystems for cryptographic operations, TLS implementations, and secure communication protocols. Organizations running services that accept external input and route it through node-forge's BigInteger operations face the highest risk exposure. The GitHub Security Advisory (GHSA) provides additional technical details for security teams conducting impact assessments across their dependency chains.