node-forge 1.4.0 Patches HIGH-Severity DoS Vulnerability in BigInteger.modInverse()

A high-severity denial-of-service vulnerability has been patched in node-forge, a widely-used JavaScript cryptography library maintained by DigitalBazaar. The fix, released in version 1.4.0, addresses a critical flaw in the `BigInteger.modInverse()` function that could allow attackers to trigger an infinite loop, causing affected processes to hang indefinitely while consuming 100% CPU resources.

The vulnerability stems from the bundled jsbn library implementation. When `modInverse()` is invoked with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition. This creates a persistent hang that can exhaust server resources without requiring authentication or complex exploit chains. Security researcher Kr0emer disclosed the issue, which has been classified as HIGH severity. The update also cascades to downstream packages, requiring coordinated updates to ancestor dependency @parse/node-apn in projects that rely on the Parse platform's Apple Push Notification integration.

Developers and DevOps teams maintaining Node.js applications with cryptographic operations should treat this as a priority update. The node-forge library is commonly embedded in authentication systems, certificate handling, and secure communication layers—infrastructure components where a DoS condition could cascade into broader service disruption. Organizations running unpatched versions remain exposed to relatively simple resource-exhaustion attacks if attacker-controlled input can reach the vulnerable function. The coordinated dependency bump with @parse/node-apn signals that Parse-powered mobile backends may be particularly affected, requiring both packages to be updated in tandem to fully resolve the exposure.