Description
music-metadata is a metadata parser for audio and video media files. Prior to version 11.12.3, music-metadata's ASF parser (`parseExtensionObject()` in `lib/asf/AsfParser.ts:112-158`) enters an infinite loop when a sub-object inside the ASF Header Extension Object has `objectSize = 0`. Version 11.12.3 fixes the issue.
Published: 2026-03-18
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

Key detail from vendor description: music‑metadata’s ASF parser (`parseExtensionObject()`) enters an infinite loop when a sub‑object inside the ASF Header Extension Object has `objectSize = 0`. This behavior, classified as CWE‑835 (Infinite Loop), results in the processing application becoming unresponsive, effectively denying service to legitimate users.

Affected Systems

All releases of Borewit:music-metadata preceding version 11.12.3 are affected, as the vulnerability resides in the ASF parser module of those releases. The issue is fixed in version 11.12.3 and later.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation; the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker could supply a crafted ASF file to a vulnerable application; if the application parses untrusted files, the attacker could trigger the infinite loop and deny availability of the service.

Generated by OpenCVE AI on March 19, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update music-metadata to version 11.12.3 or later

Generated by OpenCVE AI on March 19, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v6c2-xwv6-8xf7 music-metadata has an infinite loop vulnerability in ASF parser
History

Thu, 19 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:borewit:music-metadata:*:*:*:*:*:*:*:*

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Borewit
Borewit music-metadata
Vendors & Products Borewit
Borewit music-metadata

Wed, 18 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Description music-metadata is a metadata parser for audio and video media files. Prior to version 11.12.3, music-metadata's ASF parser (`parseExtensionObject()` in `lib/asf/AsfParser.ts:112-158`) enters an infinite loop when a sub-object inside the ASF Header Extension Object has `objectSize = 0`. Version 11.12.3 fixes the issue.
Title music-metadata has an infinite loop vulnerability in ASF parser
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Borewit Music-metadata
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T13:34:12.042Z

Reserved: 2026-03-11T15:05:48.396Z

Link: CVE-2026-32256

cve-icon Vulnrichment

Updated: 2026-03-18T13:34:08.385Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T04:17:25.523

Modified: 2026-03-19T18:07:39.043

Link: CVE-2026-32256

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:59:24Z

Weaknesses