Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
Summary
| CVE | CVE-2026-33891 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-27 21:17:25 UTC |
| Updated | 2026-07-02 12:17:07 UTC |
| Description | Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS: 0.005960000 probability, percentile 0.441820000 (date 2026-07-04)
Problem Types: CWE-835 | CWE-606 | CWE-835 CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') | CWE-606 Unchecked Input for Loop Condition
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Digitalbazaar | Forge | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/digitalbazaar/forge/security/advisories/GHSA-5m6q-g25r-mvwx | [email protected] | github.com | Exploit, Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:34342 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:9742 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:24762 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/digitalbazaar/forge/commit/9bb8d67b99d17e4ebb5fd7596cd699e11f... | [email protected] | github.com | Patch |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33891.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13826 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-33891 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:24761 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-03-27T21:01:34.410Z | Reported to Red Hat. |
| ADP | 2026-03-27T20:43:37.725Z | Made public. |
Solutions
ADP: RHSA-2026:24761: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9
ADP: RHSA-2026:24762: Red Hat Ansible Automation Platform 2.6 for RHEL 9
ADP: RHSA-2026:34342: Cluster Observability Operator 1.5.0
ADP: RHSA-2026:9742: Red Hat Developer Hub 1.8
ADP: RHSA-2026:13826: Red Hat Developer Hub 1.9
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.