## node-forge 1.3.1 DoS Vulnerability Patched: BigInteger.modInverse() Infinite Loop Exposes Systems to CPU Exhaustion
A critical denial-of-service vulnerability in the node-forge cryptographic library has been remediated through an emergency update to version 1.4.0. The flaw, tracked as CVE-2026-33891, resided in the BigInteger.modInverse() function inherited from the bundled jsbn library. When invoked with a zero value, the function's internal Extended Euclidean Algorithm enters an unreachable exit condition, triggering an infinite loop that locks the process and consumes 100 percent of available CPU resources.

The vulnerability was identified and responsibly disclosed by researcher Kr0emer. Node-forge, a widely deployed JavaScript implementation of cryptographic primitives used by numerous downstream projects, bundles the vulnerable jsbn code directly. Any application that exposes modInverse() to attacker-controlled input faces risk of targeted DoS attacks that could freeze affected services. The high-severity rating reflects the ease of exploitation and the complete availability impact on affected processes.

The patched release, version 1.4.0, corrects the underlying algorithm logic to properly handle edge-case inputs. Maintainers of any project depending on node-forge versions prior to 1.4.0 are urged to update dependencies immediately. Given the library's prevalence as a transitive dependency in many JavaScript and Node.js ecosystems, security teams should audit direct and indirect package trees for exposure. The vulnerability's presence in a bundled third-party library underscores the compounding risk of embedded code that may not receive the same scrutiny as primary dependencies.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: vulnerability, CVE-2026-33891, denial-of-service, node-forge, jsbn
- **Credibility**: unverified
- **Published**: 2026-04-23 21:54:12
- **ID**: 76534
- **URL**: https://whisperx.ai/en/intel/76534