NextGuard
UNKNOWNCVE-2026-33891

Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input

Platform

nodejs

Component

node-forge

Fixed in

1.4.0

View on NVD

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.

How to fix

Actualice la biblioteca node-forge a la versión 1.4.0 o superior. Esta versión corrige la vulnerabilidad de denegación de servicio causada por un bucle infinito en la función BigInteger.modInverse() al recibir un valor cero como entrada. La actualización evitará que el proceso se cuelgue y consuma el 100% de la CPU.

Monitor your dependencies automatically

Get notified when new vulnerabilities affect your projects. Free forever.

Start free
CVE-2026-33891 — Vulnerability Details | NextGuard | NextGuard