Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input

Description

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.

Affected Products

Vendor	Product	Versions
digitalbazaar	forge	< 1.4.0

References

https://github.com/digitalbazaar/forge/security/advisories/GHSA-5m6q-g25r-mvwx(x_refsource_CONFIRM)
https://github.com/digitalbazaar/forge/commit/9bb8d67b99d17e4ebb5fd7596cd699e11f25d023(x_refsource_MISC)

Related News (3 articles)

Tier A

Microsoft MSRC4h ago

CVE-2026-33891 Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input

→ No new info (linked only)

Tier C

VulDB3d ago

CVE-2026-33891 | digitalbazaar forge up to 1.3.x BigInteger.modverse infinite loop (GHSA-5m6q-g25r-mvwx)

→ No new info (linked only)

Tier C

VulDB3d ago

CVE-2026-33891 | digitalbazaar forge up to 1.3.x BigInteger.modverse infinite loop (GHSA-5m6q-g25r-mvwx)

→ No new info (linked only)

Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input

Description

Affected Products

References

Related News (3 articles)

Community Vote

Related CVEs (3)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History