CVE-2026-31808

file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever. Any application that uses file-type to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload. Fixed in version 21.3.1.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-835"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31808.json"
}

References

Affected packages

Git / github.com/sindresorhus/file-type

Affected ranges

Type: GIT
Repo: https://github.com/sindresorhus/file-type
Events: Introduced

9e910d8a95e883271b4ef77feaa225dcc21d9782

Fixed

ad5857e5384874e853cc9c4c29b867f1135a7c30

Affected versions

v13.*

v13.0.0

v13.0.1

v13.0.2

v13.0.3

v13.1.0

v13.1.1

v13.1.2

v14.*

v14.0.0

v14.1.0

v14.1.1

v14.1.2

v14.1.3

v14.1.4

v14.2.0

v14.3.0

v14.4.0

v14.5.0

v14.6.0

v14.6.1

v14.6.2

v14.7.0

v14.7.1

v15.*

v15.0.0

v15.0.1

v16.*

v16.0.0

v16.0.1

v16.1.0

v16.2.0

v16.3.0

v16.4.0

v16.5.0

v16.5.1

v17.*

v17.0.0

v17.0.1

v17.0.2

v17.1.0

v17.1.1

v17.1.2

v17.1.3

v17.1.4

v17.1.5

v17.1.6

v18.*

v18.0.0

v18.1.0

v18.2.0

v18.2.1

v18.3.0

v18.4.0

v18.5.0

v18.6.0

v18.7.0

v19.*

v19.0.0

v19.1.0

v19.1.1

v19.2.0

v19.3.0

v19.4.0

v19.4.1

v19.5.0

v19.6.0

v20.*

v20.0.0

v20.0.1

v20.1.0

v20.2.0

v20.3.0

v20.4.0

v20.4.1

v20.5.0

v21.*

v21.0.0

v21.1.0

v21.1.1

v21.2.0

v21.3.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31808.json"