GHSA-5v7r-6r5c-r473
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5v7r-6r5c-r473
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-5v7r-6r5c-r473/GHSA-5v7r-6r5c-r473.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5v7r-6r5c-r473
- Aliases
- Downstream
- Related
- Published
- 2026-03-10T23:57:09Z
- Modified
- 2026-03-19T22:58:59.816179Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header
- Details
-
Impact
A denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a
sizefield of zero, the parser enters an infinite loop. Thepayloadvalue becomes negative (-24), causingtokenizer.ignore(payload)to move the read position backwards, so the same sub-header is read repeatedly forever.Any application that uses
file-typeto detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload.Patches
Fixed in version 21.3.1. Users should upgrade to >= 21.3.1.
Workarounds
Validate or limit the size of input buffers before passing them to
file-type, or run file type detection in a worker thread with a timeout.References
- Fix commit: 319abf871b50ba2fa221b4a7050059f1ae096f4f
Reporter
crnkovic@lokvica.com
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-03-10T23:57:09Z", "cwe_ids": [ "CWE-835" ], "severity": "MODERATE", "nvd_published_at": "2026-03-10T21:16:50Z" }- References
Affected packages
npm / file-type
Package
- Name
- file-type
- View open source insights on deps.dev
- Purl
- pkg:npm/file-type