Description
file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This vulnerability is fixed in 21.3.2.
Published: 2026-03-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via memory exhaustion
Action: Apply patch
AI Analysis

Impact

The vulnerability resides in the file-type library’s ZIP handling, where a crafted ZIP file can trigger excessive memory growth during type detection. This occurs when fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile() process a small compressed ZIP that expands to a much larger payload, exploiting the absence of an inflate output limit for known-size inputs. The resulting memory exhaustion can cause the application to crash or become unresponsive, constituting a denial of service. The weakness is classified as CWE-409.

Affected Systems

The issue affects the npm package 'sindresorhus/file-type' in all versions from 20.0.0 up to and including 21.3.1. Versions 21.3.2 and later incorporate the fix and are not affected.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector, though not explicitly stated, is inferred to require an attacker to supply a crafted ZIP file to the application’s type detection logic, making it a local or supply‑of‑data exploitation scenario rather than a remote network attack.

Generated by OpenCVE AI on March 17, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the file-type dependency to version 21.3.2 or later.

Generated by OpenCVE AI on March 17, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j47w-4g3g-c36v file-type: ZIP Decompression Bomb DoS via [Content_Types].xml entry
History

Tue, 17 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sindresorhus:file-type:*:*:*:*:*:node.js:*:*

Tue, 17 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 16 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Sindresorhus
Sindresorhus file-type
Vendors & Products Sindresorhus
Sindresorhus file-type

Fri, 13 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This vulnerability is fixed in 21.3.2.
Title file-type affected by ZIP Decompression Bomb DoS via [Content_Types].xml entry
Weaknesses CWE-409
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Sindresorhus File-type
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T16:59:36.473Z

Reserved: 2026-03-12T15:29:36.559Z

Link: CVE-2026-32630

cve-icon Vulnrichment

Updated: 2026-03-16T16:59:24.226Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:40.593

Modified: 2026-03-17T19:05:56.580

Link: CVE-2026-32630

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-13T20:54:16Z

Links: CVE-2026-32630 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:31Z

Weaknesses