## Node-Forge 1.4.0 Patches Critical DoS Flaw (CVE-2026-33891) in `BigInteger.modInverse()`
A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled `jsbn` library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely and consume 100% of CPU resources.

The vulnerability, rated HIGH severity, was reported by a researcher known as Kr0emer. The issue is addressed in `node-forge` version 1.4.0, released on March 24, 2026. The changelog for this release explicitly lists the security fix, indicating the maintainers' recognition of the risk. The library is a foundational component for cryptographic operations in many Node.js applications, making this patch a priority for security teams managing dependencies.

This update signals immediate pressure on development and security operations teams to audit their dependency trees and upgrade from version 1.3.1 or earlier. Any application using the vulnerable function is exposed to a trivial DoS attack vector, where a malicious actor could trigger the infinite loop and cripple service availability. The fix underscores the persistent risk of inherited vulnerabilities in bundled dependencies and the critical need for proactive dependency management in software supply chains.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-33891, Node.js, Cryptography, Denial of Service, Supply Chain Security
- **Credibility**: unverified
- **Published**: 2026-03-26 23:27:32
- **ID**: 36280
- **URL**: https://whisperx.ai/en/intel/36280