Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.
Weakness
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Forge | Digitalbazaar | * | 1.3.3 (including) |
| Red Hat Ansible Automation Platform 2.5 for RHEL 8 | RedHat | automation-gateway-0:2.5.20260422-3.el8ap | * |
| Red Hat Ansible Automation Platform 2.5 for RHEL 9 | RedHat | automation-gateway-0:2.5.20260422-3.el9ap | * |
| Red Hat Ansible Automation Platform 2.6 for RHEL 9 | RedHat | automation-platform-ui-0:2.6.9-1.el9ap | * |
| Red Hat Developer Hub 1.8 | RedHat | rhdh/rhdh-hub-rhel9:1776784286 | * |
| Red Hat Developer Hub 1.9 | RedHat | rhdh/rhdh-hub-rhel9:1777903262 | * |