## Node-Forge 1.4.0 Patches Critical DoS Flaw (CVE-2026-33891) in `BigInteger.modInverse()`
A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled `jsbn` library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely and consume 100% CPU resources. This creates a straightforward vector for resource exhaustion attacks.

The vulnerability, rated HIGH severity, was reported by a researcher known as Kr0emer and is addressed in the newly released `node-forge` version 1.4.0. The library is a foundational component for cryptographic operations—including TLS, X.509 certificates, and PKI—in countless Node.js applications and dependencies. Its pervasive use across the npm ecosystem means the potential attack surface is significant, though exploitation requires the vulnerable function to be invoked with specific, attacker-controlled input.

The patch, released on March 24, 2026, underscores the persistent risks in core cryptographic dependencies. Developers and security teams must prioritize updating to version 1.4.0 to mitigate this DoS risk. The incident also highlights the security debt carried by inherited, bundled code libraries like `jsbn`, where a single flaw can propagate silently through the software supply chain until discovered and patched.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: node-forge, CVE-2026-33891, Denial of Service, npm, cryptography
- **Credibility**: unverified
- **Published**: 2026-03-29 04:27:01
- **ID**: 39580
- **URL**: https://whisperx.ai/en/intel/39580