## Node-Forge 1.4.0 Patches Critical DoS Flaw (CVE-2026-33891) in `BigInteger.modInverse()`
A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled `jsbn` library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely and consume 100% of CPU resources.

The vulnerability, rated HIGH severity, was reported by a researcher known as Kr0emer. The issue is addressed in version 1.4.0 of `node-forge`, released on March 24, 2026. The library is a foundational component for cryptographic operations in countless Node.js applications, particularly in web frontend and backend toolchains, making this patch a high-priority update for development and security teams.

This patch underscores the persistent risk of inherited vulnerabilities in bundled dependencies. The specific infinite loop condition presents a clear vector for resource exhaustion attacks. Organizations relying on `node-forge` versions prior to 1.4.0, especially version 1.3.1, are urged to update immediately to mitigate the risk of service disruption. The advisory, published via GitHub Security Advisories (GHSA), provides the definitive fix for this critical path in cryptographic computation.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, nodejs, cryptography, CVE-2026-33891
- **Credibility**: unverified
- **Published**: 2026-03-26 22:27:24
- **ID**: 36179
- **URL**: https://whisperx.ai/en/intel/36179