CVE-2026-33891: CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') in digitalbazaar forge
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.
AI Analysis
Technical Summary
The digitalbazaar forge library, a JavaScript implementation of Transport Layer Security, contains a denial of service vulnerability in versions before 1.4.0. The vulnerability is caused by an infinite loop in the BigInteger.modInverse() function inherited from the bundled jsbn library. When modInverse() receives a zero value as input, the internal Extended Euclidean Algorithm enters a state with no reachable exit condition, resulting in the process hanging indefinitely and maxing out CPU usage. This flaw is classified under CWE-835 (Loop with Unreachable Exit Condition). The issue is resolved in forge version 1.4.0.
Potential Impact
An attacker able to supply input that triggers the modInverse() function with zero can cause the affected application to hang indefinitely, leading to a denial of service condition. This results in 100% CPU utilization and unavailability of the affected process. There is no impact on confidentiality or integrity reported. No known exploits in the wild have been documented.
Mitigation Recommendations
Upgrade the digitalbazaar forge library to version 1.4.0 or later, where this infinite loop vulnerability is patched. Since this is a native library, applying the official fix by updating the dependency is the recommended remediation. There is no indication that temporary workarounds or other mitigations are available or necessary.
CVE-2026-33891: CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') in digitalbazaar forge
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The digitalbazaar forge library, a JavaScript implementation of Transport Layer Security, contains a denial of service vulnerability in versions before 1.4.0. The vulnerability is caused by an infinite loop in the BigInteger.modInverse() function inherited from the bundled jsbn library. When modInverse() receives a zero value as input, the internal Extended Euclidean Algorithm enters a state with no reachable exit condition, resulting in the process hanging indefinitely and maxing out CPU usage. This flaw is classified under CWE-835 (Loop with Unreachable Exit Condition). The issue is resolved in forge version 1.4.0.
Potential Impact
An attacker able to supply input that triggers the modInverse() function with zero can cause the affected application to hang indefinitely, leading to a denial of service condition. This results in 100% CPU utilization and unavailability of the affected process. There is no impact on confidentiality or integrity reported. No known exploits in the wild have been documented.
Mitigation Recommendations
Upgrade the digitalbazaar forge library to version 1.4.0 or later, where this infinite loop vulnerability is patched. Since this is a native library, applying the official fix by updating the dependency is the recommended remediation. There is no indication that temporary workarounds or other mitigations are available or necessary.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T15:10:05.682Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c6efce3c064ed76ff462e1
Added to database: 3/27/2026, 8:59:58 PM
Last enriched: 4/4/2026, 11:02:14 AM
Last updated: 5/12/2026, 11:45:47 PM
Views: 110
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.