CVE-2026-2739
📋 TL;DR
This vulnerability in bn.js versions before 5.2.3 allows attackers to cause denial of service by calling maskn(0) on any BN instance, which corrupts internal state and causes infinite loops in methods like toString() and divmod(). This affects any application using vulnerable versions of the bn.js library for big number arithmetic operations.
💻 Affected Systems
- bn.js
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service where affected processes hang indefinitely, potentially crashing applications or servers that rely on bn.js for cryptographic operations or mathematical calculations.
Likely Case
Application instability and service disruption when malicious or malformed input triggers the vulnerable maskn(0) method, leading to hung processes that require manual intervention.
If Mitigated
Limited impact if input validation prevents calling maskn(0) with zero parameter, or if the vulnerable function isn't exposed to untrusted input sources.
🎯 Exploit Status
Proof of concept is publicly available in GitHub issues. Exploitation is straightforward - simply calling maskn(0) triggers the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.3
Vendor Advisory: https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b
Restart Required: Yes
Instructions:
1. Update bn.js dependency to version 5.2.3 or later. 2. Run 'npm update bn.js' or 'yarn upgrade bn.js'. 3. Restart all affected applications and services.
🔧 Temporary Workarounds
Input validation wrapper
allWrap maskn() calls with validation to reject zero parameter
// In your code, add validation:
function safeMaskn(bnInstance, bits) {
if (bits === 0) {
throw new Error('maskn(0) is not allowed');
}
return bnInstance.maskn(bits);
}
🧯 If You Can't Patch
- Implement input validation to prevent maskn(0) calls from user-controlled sources
- Monitor processes for abnormal CPU usage indicating infinite loops and implement automatic restart mechanisms
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list bn.js' to see if version is below 5.2.3Check Version:
npm list bn.js | grep bn.jsVerify Fix Applied:
Confirm bn.js version is 5.2.3 or higher with 'npm list bn.js' and test that maskn(0) no longer causes infinite loops📡 Detection & Monitoring
Log Indicators:
- Processes hanging with high CPU usage
- Application crashes following mathematical operations
- Error logs showing infinite loop warnings
Network Indicators:
- Service unavailability after mathematical API calls
- Timeout errors on endpoints using bn.js operations
SIEM Query:
Process monitoring for sustained 100% CPU usage on Node.js applications using bn.js library🔗 References
- https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91
- https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b
- https://github.com/indutny/bn.js/issues/186
- https://github.com/indutny/bn.js/issues/316
- https://github.com/indutny/bn.js/pull/317
- https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301
