CVE-2026-33891
Published: 27 March 2026
Summary
CVE-2026-33891 is a high-severity Infinite Loop (CWE-835) vulnerability in Digitalbazaar Forge. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and patching of software flaws like the infinite loop in node-forge's BigInteger.modInverse(), preventing exploitation by upgrading to version 1.4.0.
Mandates vulnerability scanning and monitoring to identify vulnerable node-forge versions (<1.4.0) in dependencies, enabling proactive remediation before remote DoS exploitation.
Provides denial-of-service protections against resource exhaustion attacks, such as 100% CPU consumption from the infinite loop triggered by zero input to modInverse().
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of the infinite loop in node-forge directly enables T1190 (Exploit Public-Facing Application) for DoS impact and T1499.004 (Application or System Exploitation) via crafted input triggering resource exhaustion.
NVD Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from…
more
the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.
Deeper analysisAI
CVE-2026-33891 is a Denial of Service (DoS) vulnerability in the node-forge library, a JavaScript implementation of Transport Layer Security also known as Forge. Versions prior to 1.4.0 are affected due to an infinite loop in the BigInteger.modInverse() function, inherited from the bundled jsbn library. When modInverse() receives a zero value as input, the internal Extended Euclidean Algorithm fails to reach its exit condition, causing the process to hang indefinitely and consume 100% CPU. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-835 (Infinite Loop).
Attackers can exploit this vulnerability remotely over the network with low complexity and no privileges or user interaction required. By supplying a zero value to the modInverse() function in applications using vulnerable node-forge versions, an unauthenticated attacker can trigger the infinite loop, leading to complete resource exhaustion and denial of service on the targeted process or server.
The node-forge security advisory (GHSA-5m6q-g25r-mvwx) and the patching commit (9bb8d67b99d17e4ebb5fd7596cd699e11f25d023) confirm that upgrading to version 1.4.0 resolves the issue by fixing the loop condition in the Extended Euclidean Algorithm implementation. Security practitioners should audit dependencies for node-forge <1.4.0 and apply the update promptly, especially in TLS-handling Node.js applications.
Details
- CWE(s)