Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.5
bn.js: Infinite Loop Triggers Process Hang
CVE-2026-2739
GHSA-378v-28hj-76wf
Summary
Versions of bn.js before 4.12.3 and 5.2.3 are vulnerable to a bug that causes processes to hang indefinitely. This can happen when certain methods are called on a BN instance with a specific input. Update to version 4.12.3 or 5.2.3 to fix this issue.
What to do
- Update fanatid bn.js to version 4.12.3.
- Update fanatid bn.js to version 5.2.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| fanatid | bn.js | <= 4.12.3 | 4.12.3 |
| fanatid | bn.js | > 5.0.0 , <= 5.2.3 | 5.2.3 |
Original title
bn.js affected by an infinite loop
Original description
This affects versions of the package bn.js before 4.12.3 and 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.
nvd CVSS3.1
5.3
nvd CVSS4.0
5.5
Vulnerability type
CWE-835
- https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b
- https://github.com/indutny/bn.js/issues/186
- https://github.com/indutny/bn.js/issues/316
- https://github.com/indutny/bn.js/pull/317
- https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301
- https://nvd.nist.gov/vuln/detail/CVE-2026-2739
- https://github.com/indutny/bn.js/releases/tag/v5.2.3
- https://github.com/indutny/bn.js/issues/316#issuecomment-3924217358
- https://github.com/advisories/GHSA-378v-28hj-76wf
- https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91
Published: 20 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026