{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/node-forge/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["node-forge"],"_cs_severities":["high"],"_cs_tags":["denial-of-service","node-forge","javascript","cryptography"],"_cs_type":"advisory","_cs_vendors":["Node-Forge"],"content_html":"\u003cp\u003eThe node-forge library, a widely used cryptographic tool in JavaScript environments, contains a denial-of-service vulnerability in its BigInteger implementation (jsbn.js). Specifically, the \u003ccode\u003emodInverse()\u003c/code\u003e function, which calculates the modular multiplicative inverse, enters an infinite loop when invoked with a zero value. This occurs because the Extended Euclidean Algorithm within \u003ccode\u003emodInverse()\u003c/code\u003e lacks input validation for zero values, leading to an unreachable exit condition. An attacker can exploit this vulnerability by crafting inputs that trigger the \u003ccode\u003emodInverse()\u003c/code\u003e function with a zero value, causing the Node.js process to hang and rendering the application unavailable. This issue affects all versions of node-forge, including the latest (v1.3.1 as of the report), and can impact applications that process untrusted cryptographic parameters. The vulnerability was reported in March 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an application using node-forge and exposing cryptographic operations that involve modular arithmetic.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious input, specifically designed to result in a zero value being passed to the \u003ccode\u003emodInverse()\u003c/code\u003e function. This could be through DSA/ECDSA signature manipulation or custom RSA/Diffie-Hellman implementations.\u003c/li\u003e\n\u003cli\u003eThe application receives the malicious input via a network request or other external data source.\u003c/li\u003e\n\u003cli\u003eThe application processes the input, leading to a call to \u003ccode\u003eBigInteger.modInverse(m)\u003c/code\u003e in \u003ccode\u003elib/jsbn.js\u003c/code\u003e with a zero value as the \u003ccode\u003ethis\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emodInverse()\u003c/code\u003e function's Extended Euclidean Algorithm enters an infinite loop due to the missing zero-value check.\u003c/li\u003e\n\u003cli\u003eThe Node.js event loop becomes blocked, preventing the application from processing further requests.\u003c/li\u003e\n\u003cli\u003eThe application becomes unresponsive, resulting in a denial of service.\u003c/li\u003e\n\u003cli\u003eThe server process consumes 100% CPU, exacerbating the DoS impact.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can cause a complete Denial of Service (DoS). The Node.js process will hang indefinitely, blocking the event loop and rendering the application unresponsive to all subsequent requests. This vulnerability affects any application processing untrusted cryptographic parameters using node-forge. As node-forge has millions of weekly downloads on npm, this poses a significant risk to a large number of applications. The impact is primarily on availability, as the application becomes completely unusable until the process is manually restarted or a fix is deployed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to node-forge version 1.4.0 or later, which includes a fix for this vulnerability (CVE-2026-33891).\u003c/li\u003e\n\u003cli\u003eImplement input validation to prevent zero values from being passed to the \u003ccode\u003emodInverse()\u003c/code\u003e function in \u003ccode\u003elib/jsbn.js\u003c/code\u003e. Specifically, add a check for \u003ccode\u003ethis.signum() == 0\u003c/code\u003e as described in the \u0026quot;Suggested Fix\u0026quot; section of this brief.\u003c/li\u003e\n\u003cli\u003eMonitor CPU usage of Node.js processes for sustained high CPU utilization, which can be an indicator of this DoS attack. Deploy a Sigma rule based on \u003ccode\u003eprocess_creation\u003c/code\u003e and \u003ccode\u003ecpu_usage\u003c/code\u003e to detect abnormal CPU consumption by node processes.\u003c/li\u003e\n\u003cli\u003eImplement timeouts for cryptographic operations that use \u003ccode\u003emodInverse()\u003c/code\u003e to limit the impact of a potential infinite loop.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-node-forge-dos/","summary":"The node-forge library is vulnerable to a denial of service (DoS) due to an infinite loop in the BigInteger.modInverse() function when called with a zero value, leading to application unresponsiveness and high CPU usage.","title":"Node-Forge Denial of Service via modInverse(0)","url":"https://feed.craftedsignal.io/briefs/2024-01-node-forge-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Node-Forge","version":"https://jsonfeed.org/version/1.1"}