Vulnerability Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Digitalbazaar | Forge | <= 1.3.3 |
Related Weaknesses (CWE)
References
- https://github.com/digitalbazaar/forge/commit/9bb8d67b99d17e4ebb5fd7596cd699e11fPatch
- https://github.com/digitalbazaar/forge/security/advisories/GHSA-5m6q-g25r-mvwxVendor AdvisoryExploit
FAQ
What is CVE-2026-33891?
CVE-2026-33891 is a vulnerability with a CVSS score of 7.5 (HIGH). Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library ...
How severe is CVE-2026-33891?
CVE-2026-33891 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33891?
Check the references section above for vendor advisories and patch information. Affected products include: Digitalbazaar Forge.