Platform
nodejs
Component
node-forge
Fixed in
1.4.1
1.4.0
A Denial of Service (DoS) vulnerability has been identified in the node-forge JavaScript library, a widely used component for cryptographic operations in Node.js applications. This vulnerability stems from an infinite loop within the BigInteger.modInverse() function, inherited from the bundled jsbn library. Exploitation results in a process hang and 100% CPU consumption, potentially disrupting application availability. All versions of node-forge are affected, and a fix is available in version 1.4.0.
The primary impact of CVE-2026-33891 is a denial of service. An attacker can trigger the vulnerability by sending a crafted request that calls the BigInteger.modInverse() function with a zero value. This will cause the function to enter an unreachable exit condition within the Extended Euclidean Algorithm, resulting in an infinite loop. The affected process will then consume 100% of the CPU resources, effectively freezing the application and preventing it from responding to legitimate requests. This can lead to service outages and disruption of critical business functions. The blast radius extends to any application relying on the vulnerable node-forge library, potentially impacting a wide range of services.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the vulnerability's nature makes it relatively easy to trigger. The probability of exploitation is considered medium due to the ease of triggering the DoS condition and the widespread use of node-forge. The vulnerability was publicly disclosed on 2026-03-26.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-33891 is to immediately upgrade to version 1.4.0 of the node-forge library. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation to prevent the BigInteger.modInverse() function from being called with a zero value. While not a complete solution, this can reduce the attack surface. Monitor CPU usage for unexpected spikes, which could indicate exploitation. If using a WAF, consider implementing rules to block requests containing potentially malicious input to the BigInteger.modInverse() function. After upgrading, confirm the fix by attempting to call BigInteger.modInverse() with a zero value and verifying that the process does not hang.
Update the node-forge library to version 1.4.0 or higher. This version fixes the denial of service vulnerability caused by an infinite loop in the BigInteger.modInverse() function when receiving a zero value as input. The update will prevent the process from hanging and consuming 100% CPU.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33891 is a denial-of-service vulnerability in the node-forge library where a crafted input to BigInteger.modInverse() causes an infinite loop, leading to 100% CPU usage.
Yes, all versions of node-forge prior to 1.4.0 are affected by this vulnerability. If you are using node-forge, you should upgrade immediately.
Upgrade to version 1.4.0 of the node-forge library using npm: npm install [email protected]. If upgrading is not possible, implement input validation to prevent zero values from being passed to BigInteger.modInverse().
While no active exploitation has been confirmed, the vulnerability is relatively easy to trigger, increasing the likelihood of exploitation.
Refer to the node-forge GitHub repository for updates and advisories: https://github.com/digitalbazaar/forge
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.