Description
yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allowing readUInt16LE() to read past the buffer boundary. A remote attacker can cause a denial of service (process crash via ERR_OUT_OF_RANGE exception) by sending a crafted zip file with a malformed NTFS extra field. This affects any Node.js application that processes zip file uploads and calls entry.getLastModDate() on parsed entries. Fixed in version 3.2.1.
Published: 2026-03-11
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

yauzl, the Node.js unzip library, contains an off‑by‑one error in the NTFS extended timestamp extra field parser used by the getLastModDate() function. The loop condition incorrectly allows the parser to read past the end of the buffer, resulting in an ERR_OUT_OF_RANGE exception that crashes the entire process. A remote attacker can trigger this by delivering a crafted zip file with a malformed NTFS extra field, causing the application to terminate. This is a classic buffer overread leading to a denial‑of‑service attack and fits CWE‑193.

Affected Systems

The vulnerability is present in thejoshwolfe:yauzl library, version 3.2.0, as used by any Node.js application that processes zip uploads and calls entry.getLastModDate() on parsed entries. The issue was fixed in version 3.2.1; no other vendors or products are listed as affected.

Risk and Exploitability

The CVSS base score is 6.9, indicating moderate severity. The EPSS score is below 1 %, suggesting that exploitation is expected to be rare. The vulnerability is not included in the CISA KEV catalog. Attackers can exploit the flaw remotely by supplying a crafted zip file to an application that uses yauzl. There are no additional conditions beyond the presence of the malformed NTFS timestamp field; the exploit path is straightforward and does not require local privileges.

Generated by OpenCVE AI on March 17, 2026 at 15:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade yauzl to version 3.2.1 or later.

Generated by OpenCVE AI on March 17, 2026 at 15:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gmq8-994r-jv83 yauzl contains an off-by-one error
History

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Thejoshwolfe
Thejoshwolfe yauzl
Vendors & Products Thejoshwolfe
Thejoshwolfe yauzl

Wed, 11 Mar 2026 23:15:00 +0000

Type Values Removed Values Added
Description yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allowing readUInt16LE() to read past the buffer boundary. A remote attacker can cause a denial of service (process crash via ERR_OUT_OF_RANGE exception) by sending a crafted zip file with a malformed NTFS extra field. This affects any Node.js application that processes zip file uploads and calls entry.getLastModDate() on parsed entries. Fixed in version 3.2.1.
Title yauzl 3.2.0 - Denial of Service via Off-by-One Error in NTFS Timestamp Parser
Weaknesses CWE-193
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Thejoshwolfe Yauzl
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-12T13:40:55.420Z

Reserved: 2026-03-10T19:48:11.109Z

Link: CVE-2026-31988

cve-icon Vulnrichment

Updated: 2026-03-12T13:40:42.721Z

cve-icon NVD

Status : Deferred

Published: 2026-03-11T23:16:00.530

Modified: 2026-04-15T14:56:45.970

Link: CVE-2026-31988

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:41Z

Weaknesses