## High-Severity DoS Vulnerability Patched in node-forge: Zero-Value Input Triggers Infinite Loop in BigInteger.modInverse()
A critical denial-of-service vulnerability has been identified and patched in node-forge, a widely used JavaScript cryptography library. The flaw, tracked as CVE-2026-33891, exists within the BigInteger.modInverse() function—a component inherited from the bundled jsbn library. Security researcher Kr0emer reported that when modInverse() receives a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the affected process to hang indefinitely while consuming 100% CPU resources.

The vulnerability affects node-forge versions prior to 1.4.0, which was released to address the issue. The patch eliminates the DoS vector by preventing the infinite loop scenario. The flaw specifically targets applications that pass unvalidated zero values to the modInverse() function, a relatively uncommon but plausible code path in cryptographic operations requiring modular arithmetic.

The discovery raises security concerns for projects relying on node-forge for TLS implementations, encryption utilities, and cryptographic primitives in Node.js environments. Applications that directly expose modInverse() functionality or use it internally without input validation remain potentially exposed. Developers using node-forge should verify their dependency versions and ensure zero-value inputs are properly validated before passing them to cryptographic functions. The library maintainers have assigned a HIGH severity rating to this vulnerability, signaling the need for immediate attention in production environments.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-33891, denial-of-service, node-forge, javascript, cryptography
- **Credibility**: unverified
- **Published**: 2026-05-04 10:54:08
- **ID**: 79247
- **URL**: https://whisperx.ai/en/intel/79247