Improve jsbn fix.

- More verbose fix with indication it's a forge fix for jshn.
- Avoid process spawning test. The tests should always pass. If they
  hang, that's a test failure.
- Add changelog entry.

Author: davidlehn

CHANGELOG.md

@@ -3,10 +3,28 @@ Forge ChangeLog
 
 ## 1.4.0 - 2026-xx-xx
 
+### Security
+- **HIGH**: Denial of Service in `BigInteger.modInverse()`
+  - A Denial of Service (DoS) vulnerability exists due to an infinite loop in
+    the `BigInteger.modInverse()` function (inherited from the bundled jsbn
+    library). When `modInverse()` is called with a zero value as input, the
+    internal Extended Euclidean Algorithm enters an unreachable exit condition,
+    causing the process to hang indefinitely and consume 100% CPU.
+  - Reported by Kr0emer.
+  - CVE ID: [CVE-2026-33891](https://www.cve.org/CVERecord?id=CVE-2026-33891)
+  - GHSA ID: [GHSA-5gfm-wpxj-wjgq](https://github.com/digitalbazaar/forge/security/advisories/GHSA-5m6q-g25r-mvwx)
+
 ### Changed
 - [jsbn] Update to `jsbn` 1.4. Sync partly back to original style for easier
   updates every decade or so.
 
+### Fixed
+- [jsbn] Fix `BigInteger.modInverse` to avoid an infinite loop and exit early
+  with zero when the target object value is <= 0. Zero may not be strictly
+  mathematically correct but aligns with current `jsbn` behavior returning zero
+  in other situations. The alternate of a `RangeError` would diverge from the
+  rest of the API.
+
 ## 1.3.3 - 2025-12-02
 
 ### Fixed

lib/jsbn.js

@@ -1122,7 +1122,13 @@ function bnpModInt(n) {
 
 // (public) 1/this % m (HAC 14.61)
 function bnModInverse(m) {
-  if(this.signum() == 0) return BigInteger.ZERO;
+  // FORGE: jsbn fix
+  // avoid infinite loop
+  if(this.signum() == 0) {
+    // returning zero to align with similar behavior when no multiplicative
+    // inverse module m is found.
+    return BigInteger.ZERO;
+  }
   var ac = m.isEven();
   if((this.isEven() && ac) || m.signum() == 0) return BigInteger.ZERO;
   var u = m.clone(), v = this.clone();

tests/unit/jsbn.js

@@ -1,45 +1,40 @@
 var ASSERT = require('assert');
+var JSBN = require('../../lib/jsbn');
 
-(function() {
-  if(typeof process === 'undefined' ||
-    !process.versions || !process.versions.node) {
-    return;
-  }
-
-  var moduleRequire = module.require ? module.require.bind(module) : require;
-  var PATH = moduleRequire('path');
-  var spawnSync = moduleRequire('child_process').spawnSync;
-
-  describe('jsbn', function() {
-    it('should return 0 for BigInteger(0).modInverse(3) without hanging', function() {
-      var script = [
-        'var JSBN = require("./lib/jsbn");',
-        'var BigInteger = JSBN.BigInteger;',
-        'var zero = new BigInteger("0", 10);',
-        'var mod = new BigInteger("3", 10);',
-        'var inv = zero.modInverse(mod);',
-        'process.stdout.write(inv.toString());'
-      ].join('\n');
-
-      var result = spawnSync(process.execPath, ['-e', script], {
-        cwd: PATH.join(__dirname, '../..'),
-        encoding: 'utf8',
-        timeout: 2000
-      });
-
-      if(result.error) {
-        if(result.error.code === 'EPERM') {
-          this.skip();
-          return;
-        }
-        if(result.error.code === 'ETIMEDOUT') {
-          ASSERT.fail('BigInteger(0).modInverse(3) timed out.');
-        }
-        throw result.error;
-      }
-
-      ASSERT.equal(result.status, 0, result.stderr);
-      ASSERT.equal(result.stdout, '0');
+describe.only('jsbn', function() {
+  describe('GHSA-5m6q-g25r-mvwx', function() {
+    // regression tests for GHSA-5m6q-g25r-mvwx
+    // test BigInteger.modInverse does not infinite loop with 0 inputs.
+    var BigInteger = JSBN.BigInteger;
+    it('should test BigInteger(0).modInverse(0) returns 0', function() {
+      var n = BigInteger.ZERO;
+      var mod = BigInteger.ZERO;
+      var inv = n.modInverse(mod);
+      ASSERT(inv.equals(BigInteger.ZERO));
+    });
+    it('should test BigInteger(0).modInverse(3) returns 0', function() {
+      var n = BigInteger.ZERO;
+      var mod = new BigInteger('3', 10);
+      var inv = n.modInverse(mod);
+      ASSERT(inv.equals(BigInteger.ZERO));
+    });
+    it('should test BigInteger(3).modInverse(0) returns 0', function() {
+      var n = new BigInteger('3', 10);
+      var mod = BigInteger.ZERO;
+      var inv = n.modInverse(mod);
+      ASSERT(inv.equals(BigInteger.ZERO));
+    });
+    it('should test BigInteger(3).modInverse(3) returns 0', function() {
+      var n = new BigInteger('3', 10);
+      var mod = new BigInteger('3', 10);
+      var inv = n.modInverse(mod);
+      ASSERT(inv.equals(BigInteger.ZERO));
+    });
+    it('should test BigInteger(7).modInverse(20) returns 3', function() {
+      var n = new BigInteger('7', 10);
+      var mod = new BigInteger('20', 10);
+      var inv = n.modInverse(mod);
+      ASSERT(inv.equals(new BigInteger('3', 10)));
     });
   });
-})();
+});