Description
This affects versions of the package bn.js before 4.12.3 and 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.
Recommendation
Update the bn.js package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.2.3 < 4.12.3** Patched version(s): **5.2.3 4.12.3**
References
Related Issues
- music-metadata has an infinite loop vulnerability in ASF parser - CVE-2026-32256
- Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input - CVE-2026-33891
- Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
- fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) - CVE-2026-26278
- Tags:
- npm
- bn.js
Anything's wrong? Let us know Last updated on February 24, 2026