node-forge Denial-of-Service Vulnerability via Infinite Loop in BigInteger.modInverse()

A denial-of-service vulnerability has been identified in the node-forge library, specifically in versions through 1.3.1. The issue arises from an infinite loop in the BigInteger.modInverse() function, which is inherited from the bundled jsbn library. When modInverse() is called with a zero value, the Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. This vulnerability can be exploited by any application using node-forge that processes untrusted input through the modInverse() function, particularly in cryptographic operations such as signature verification or custom implementations of RSA or Diffie-Hellman.

Impact

Exploitation of this vulnerability leads to a complete denial-of-service condition, where the Node.js process hangs indefinitely. This blocks the event loop, causing the application to become unresponsive to all incoming requests.

Reproduction

The vulnerability can be reproduced by calling the BigInteger.modInverse() function with a zero value as input. This can be done in a Node.js environment by installing the node-forge library and running a script that includes this function call. The process will hang indefinitely, confirming the denial-of-service condition.

Remediation

Users can upgrade to node-forge version 1.4.0 or later, where this vulnerability has been patched.