Plattform
nodejs
Komponente
node-forge
Behoben in
1.4.1
1.4.0
A Denial of Service (DoS) vulnerability has been identified within the node-forge library, specifically impacting its BigInteger.modInverse() function inherited from the bundled jsbn library. This flaw allows an attacker to trigger an infinite loop, leading to a complete system hang and 100% CPU utilization. All versions of the node-forge package (npm: node-forge) are affected, although a fix is available in version 1.4.0.
The primary impact of CVE-2026-33891 is a denial of service. An attacker can trigger the vulnerability by sending a crafted request that calls the BigInteger.modInverse() function with a zero value. This will cause the function to enter an unreachable exit condition within the Extended Euclidean Algorithm, resulting in an infinite loop. The affected process will then consume 100% of the CPU resources, effectively freezing the application and preventing it from responding to legitimate requests. This can lead to service outages and disruption of critical business functions. The blast radius extends to any application relying on the vulnerable node-forge library, potentially impacting a wide range of services.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the vulnerability's nature makes it relatively easy to trigger. The probability of exploitation is considered medium due to the ease of triggering the DoS condition and the widespread use of node-forge. The vulnerability was publicly disclosed on 2026-03-26.
Applications built on Node.js that utilize the node-forge library for cryptographic operations are at risk. This includes web applications, APIs, and command-line tools. Specifically, projects that haven't been updated recently or those relying on older dependencies are particularly vulnerable.
• nodejs / server:
npm list node-forge # Check installed version• nodejs / server:
ps aux | grep forge # Check for processes using node-forge• nodejs / server:
journalctl -u node -f # Monitor Node.js logs for errors related to BigInteger or modInversedisclosure
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2026-33891 is to immediately upgrade to version 1.4.0 of the node-forge library. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation to prevent the BigInteger.modInverse() function from being called with a zero value. While not a complete solution, this can reduce the attack surface. Monitor CPU usage for unexpected spikes, which could indicate exploitation. If using a WAF, consider implementing rules to block requests containing potentially malicious input to the BigInteger.modInverse() function. After upgrading, confirm the fix by attempting to call BigInteger.modInverse() with a zero value and verifying that the process does not hang.
Actualice la biblioteca node-forge a la versión 1.4.0 o superior. Esta versión corrige la vulnerabilidad de denegación de servicio causada por un bucle infinito en la función BigInteger.modInverse() al recibir un valor cero como entrada. La actualización evitará que el proceso se cuelgue y consuma el 100% de la CPU.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33891 is a denial-of-service vulnerability in the node-forge library where a crafted input to BigInteger.modInverse() causes an infinite loop, leading to 100% CPU usage.
Yes, all versions of node-forge prior to 1.4.0 are affected by this vulnerability. If you are using node-forge, you should upgrade immediately.
Upgrade to version 1.4.0 of the node-forge library using npm: npm install [email protected]. If upgrading is not possible, implement input validation to prevent zero values from being passed to BigInteger.modInverse().
While no active exploitation has been confirmed, the vulnerability is relatively easy to trigger, increasing the likelihood of exploitation.
Refer to the node-forge GitHub repository for updates and advisories: https://github.com/digitalbazaar/forge
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.