Description
file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever. Any application that uses file-type to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload. Fixed in version 21.3.1.
Published: 2026-03-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the ASF (WMV/WMA) file type detection parser of the file-type library. When an ASF sub‑header’s size field is set to zero, the parser enters an infinite loop. The loop decrements a payload counter to a negative value, causing the tokenizer to move read position backwards and continuously reread the same sub‑header, ultimately stalling the Node.js event loop. This denial of service flaw is an instance of CWE‑835 (Infinite Loop). This flaw can be triggered by a crafted 55‑byte payload and results in a denial of service, disrupting legitimate application processing of untrusted or attacker‑controlled data.

Affected Systems

The affected product is "sindresorhus:file-type" used in Node.js applications. Versions prior to 21.3.1 are impacted. Any code that calls file-type to examine user‑supplied files, streams, or raw data is vulnerable until the library is upgraded to 21.3.1 or later.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium impact, while the EPSS score of less than 1% reflects a low probability of exploitation in the general population. The vulnerability is not listed in the CISA KEV catalog. Attackers who can supply crafted ASF content to an application that unconditionally passes data to file-type can cause the event loop to freeze, effectively denying service to all users of that instance. Even though exploitation requires an altered ASF file, the flaw can be triggered with a small, non‑malicious looking payload, implying a moderate ease of attack once the condition is met.

Generated by OpenCVE AI on April 16, 2026 at 09:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the file-type library to version 21.3.1 or higher.
  • If an upgrade cannot be performed immediately, remove or disable the ASF parsing capability in file-type (e.g., apply a local patch or configuration that turns off ASF support).
  • Avoid passing untrusted or attacker‑controlled data directly to file-type; instead, perform additional input validation or use an alternative file‑type detection mechanism until the library is fixed.

Generated by OpenCVE AI on April 16, 2026 at 09:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5v7r-6r5c-r473 file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header
History

Wed, 18 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sindresorhus:file-type:*:*:*:*:*:node.js:*:*

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Sindresorhus
Sindresorhus file-type
Vendors & Products Sindresorhus
Sindresorhus file-type

Tue, 10 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever. Any application that uses file-type to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload. Fixed in version 21.3.1.
Title file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Sindresorhus File-type
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T16:00:14.754Z

Reserved: 2026-03-09T16:33:42.913Z

Link: CVE-2026-31808

cve-icon Vulnrichment

Updated: 2026-03-11T15:53:39.314Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T21:16:50.173

Modified: 2026-03-18T19:48:13.733

Link: CVE-2026-31808

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-10T21:01:55Z

Links: CVE-2026-31808 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:30:06Z

Weaknesses