Description
This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.
Published: 2026-02-20
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via infinite loop in bn.js
Action: Patch Immediately
AI Analysis

Impact

Calling maskn(0) on a bn.js instance corrupts its internal big‑integer representation, causing several methods such as toString() and divmod() to enter an infinite loop that freezes the JavaScript process. This is a classic resource exhaustion flaw (CWE‑835) that results in a denial of service.

Affected Systems

All JavaScript runtimes that include the open‑source bn.js library prior to version 5.2.3, for example Node.js applications that depend on indutny/bn.js for large‑integer arithmetic.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score of less than 1 % suggests that real‑world exploitation is currently unlikely. The vulnerability is not listed in CISA KEV. Exploitation requires attacker‑controlled code to invoke maskn(0), implying a local or supply‑chain risk rather than a direct network‑exploitable vector.

Generated by OpenCVE AI on April 18, 2026 at 11:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade bn.js to version 5.2.3 or newer to eliminate the flaw.
  • Audit application code to ensure that maskn(0) is never called, especially in paths that process untrusted input.
  • Add runtime checks or sandboxing that prevents execution of untrusted JavaScript so that maskn(0) cannot be invoked by an attacker.

Generated by OpenCVE AI on April 18, 2026 at 11:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-378v-28hj-76wf bn.js affected by an infinite loop
History

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Title bn.js: bn.js: Denial of Service via calling maskn(0)
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Indutny
Indutny bn.js
Vendors & Products Indutny
Indutny bn.js

Fri, 20 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Description This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Indutny Bn.js
cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2026-02-20T15:03:53.743Z

Reserved: 2026-02-19T10:59:37.687Z

Link: CVE-2026-2739

cve-icon Vulnrichment

Updated: 2026-02-20T15:02:17.287Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T05:17:53.033

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2739

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-20T05:00:08Z

Links: CVE-2026-2739 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:45:44Z

Weaknesses