CVE-2026-33891

Name of the Vulnerable Software and Affected Versions node-forge versions prior to 1.4.0

Description A Denial of Service (DoS) issue exists in the node-forge library due to an infinite loop within the BigInteger.modInverse() function, inherited from the bundled jsbn library. When modInverse() is called with a zero value as input, the Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. This can occur if the application processes untrusted input that reaches the modInverse() function, potentially impacting applications utilizing DSA/ECDSA signature verification, custom RSA or Diffie-Hellman implementations, or other cryptographic protocols where an attacker can influence values passed to modInverse(). A single malicious request can cause the Node.js event loop to block, rendering the application unresponsive.

Recommendations Versions prior to 1.4.0: Upgrade to version 1.4.0 or later to resolve the issue.