Description
tinytag is a Python library for reading audio file metadata. Version 2.2.0 allows an attacker who can supply MP3 files for parsing to trigger a non-terminating loop while the library parses an ID3v2 SYLT (synchronized lyrics) frame. In server-side deployments that automatically parse attacker-supplied files, a single 498-byte MP3 can cause the parsing operation to stop making progress and remain busy until the worker or process is terminated. The root cause is that _parse_synced_lyrics assumes _find_string_end_pos always returns a position greater than the current offset. That assumption is false when no string terminator is present in the remaining frame content. This issue has been fixed in version 2.2.1.
Published: 2026-03-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability in tinytag causes an infinite loop during parsing of an ID3v2 SYLT (synchronized lyrics) frame. A specially crafted 498‑byte MP3 file can trigger the loop, preventing the library from completing the parse and locking the worker or process. Attackers who provide such a file to a server that automatically parses user files can force the application to hang indefinitely, effectively causing a denial of service.

Affected Systems

Affected systems include any Python application using tinytag‑2.2.0. The library’s CPE entry identifies version 2.2.0 as vulnerable, and the issue has been addressed in version 2.2.1. Systems that perform server‑side media metadata extraction should review whether tinytag 2.2.0 is in use and update accordingly.

Risk and Exploitability

With a CVSS score of 6.5, the severity is moderate. The EPSS score is under 1 % and the vulnerability is not listed in CISA’s KEV catalog, indicating low public exploitation. Nonetheless, because the attack requires only the delivery of a malicious file, any service that accepts untrusted MP3 uploads is at risk. The fix is straightforward and supplied by the vendor, so the main risk is the potential for downtime rather than data breach.

Generated by OpenCVE AI on March 30, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade tinytag to version 2.2.1 or later.

Generated by OpenCVE AI on March 30, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f4rq-2259-hv29 Denial of service via non-terminating SYLT frame parsing loop in tinytag
History

Mon, 30 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Tinytag Project
Tinytag Project tinytag
CPEs cpe:2.3:a:tinytag_project:tinytag:2.2.0:*:*:*:*:python:*:*
Vendors & Products Tinytag Project
Tinytag Project tinytag

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

threat_severity

Moderate

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Tinytag
Tinytag tinytag
Vendors & Products Tinytag
Tinytag tinytag

Fri, 20 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description tinytag is a Python library for reading audio file metadata. Version 2.2.0 allows an attacker who can supply MP3 files for parsing to trigger a non-terminating loop while the library parses an ID3v2 SYLT (synchronized lyrics) frame. In server-side deployments that automatically parse attacker-supplied files, a single 498-byte MP3 can cause the parsing operation to stop making progress and remain busy until the worker or process is terminated. The root cause is that _parse_synced_lyrics assumes _find_string_end_pos always returns a position greater than the current offset. That assumption is false when no string terminator is present in the remaining frame content. This issue has been fixed in version 2.2.1.
Title tinytag: Denial of Service via non-terminating SYLT frame parsing loop
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Tinytag Tinytag
Tinytag Project Tinytag
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-21T02:59:12.338Z

Reserved: 2026-03-16T21:03:44.422Z

Link: CVE-2026-32889

cve-icon Vulnrichment

Updated: 2026-03-21T02:59:07.925Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T03:15:59.873

Modified: 2026-03-30T14:52:35.707

Link: CVE-2026-32889

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-20T02:23:25Z

Links: CVE-2026-32889 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:58:19Z

Weaknesses