Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.
References
| Link | Resource |
|---|---|
| https://github.com/digitalbazaar/forge/commit/9bb8d67b99d17e4ebb5fd7596cd699e11f25d023 | Patch |
| https://github.com/digitalbazaar/forge/security/advisories/GHSA-5m6q-g25r-mvwx | Vendor Advisory Exploit |
Configurations
History
08 Apr 2026, 13:50
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:digitalbazaar:forge:*:*:*:*:*:node.js:*:* | |
| References | () https://github.com/digitalbazaar/forge/commit/9bb8d67b99d17e4ebb5fd7596cd699e11f25d023 - Patch | |
| References | () https://github.com/digitalbazaar/forge/security/advisories/GHSA-5m6q-g25r-mvwx - Vendor Advisory, Exploit | |
| First Time |
Digitalbazaar
Digitalbazaar forge |
27 Mar 2026, 21:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-03-27 21:17
Updated : 2026-04-08 13:50
NVD link : CVE-2026-33891
Mitre link : CVE-2026-33891
CVE.ORG link : CVE-2026-33891
JSON object : View
Products Affected
digitalbazaar
- forge
CWE
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')