High severity7.5NVD Advisory· Published Mar 27, 2026· Updated Apr 8, 2026

CVE-2026-33891

Description

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
node-forgenpm	< 1.4.0	1.4.0

Affected products

Digitalbazaar/Forge
cpe:2.3:a:digitalbazaar:forge:*:*:*:*:*:node.js:*:*
Range: <=1.3.3

Patches

9bb8d67b99d1

fix(jsbn): prevent modInverse hang for zero input

https://github.com/digitalbazaar/forgeKr0emerMar 1, 2026via ghsa

commit

3 files changed · +47 −0

lib/jsbn.js+1 −0 modified

@@ -1122,6 +1122,7 @@ function bnpModInt(n) {
 
 // (public) 1/this % m (HAC 14.61)
 function bnModInverse(m) {
+  if(this.signum() == 0) return BigInteger.ZERO;
   var ac = m.isEven();
   if((this.isEven() && ac) || m.signum() == 0) return BigInteger.ZERO;
   var u = m.clone(), v = this.clone();

tests/unit/index.js+1 −0 modified

@@ -1,4 +1,5 @@
 require('./forge');
+require('./jsbn');
 require('./util');
 require('./md5');
 require('./sha1');

tests/unit/jsbn.js+45 −0 added

@@ -0,0 +1,45 @@
+var ASSERT = require('assert');
+
+(function() {
+  if(typeof process === 'undefined' ||
+    !process.versions || !process.versions.node) {
+    return;
+  }
+
+  var moduleRequire = module.require ? module.require.bind(module) : require;
+  var PATH = moduleRequire('path');
+  var spawnSync = moduleRequire('child_process').spawnSync;
+
+  describe('jsbn', function() {
+    it('should return 0 for BigInteger(0).modInverse(3) without hanging', function() {
+      var script = [
+        'var JSBN = require("./lib/jsbn");',
+        'var BigInteger = JSBN.BigInteger;',
+        'var zero = new BigInteger("0", 10);',
+        'var mod = new BigInteger("3", 10);',
+        'var inv = zero.modInverse(mod);',
+        'process.stdout.write(inv.toString());'
+      ].join('\n');
+
+      var result = spawnSync(process.execPath, ['-e', script], {
+        cwd: PATH.join(__dirname, '../..'),
+        encoding: 'utf8',
+        timeout: 2000
+      });
+
+      if(result.error) {
+        if(result.error.code === 'EPERM') {
+          this.skip();
+          return;
+        }
+        if(result.error.code === 'ETIMEDOUT') {
+          ASSERT.fail('BigInteger(0).modInverse(3) timed out.');
+        }
+        throw result.error;
+      }
+
+      ASSERT.equal(result.status, 0, result.stderr);
+      ASSERT.equal(result.stdout, '0');
+    });
+  });
+})();

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/digitalbazaar/forge/commit/9bb8d67b99d17e4ebb5fd7596cd699e11f25d023nvdPatchWEB
github.com/advisories/GHSA-5m6q-g25r-mvwxghsaADVISORY
github.com/digitalbazaar/forge/security/advisories/GHSA-5m6q-g25r-mvwxnvdVendor AdvisoryExploitWEB
nvd.nist.gov/vuln/detail/CVE-2026-33891ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000