Description

file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever. Any application that uses file-type to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload. Fixed in version 21.3.1.

INFO

Published Date :

2026-03-10T21:01:55.466Z

Last Modified :

2026-03-11T16:00:14.754Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-31808 vulnerability.

Vendors Products
Sindresorhus
  • File-type
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-31808.

URL Resource
https://github.com/sindresorhus/file-type/commit/319abf871b50ba2fa221b4a7050059f1ae096f4f cve-icon cve-icon cve-icon
https://github.com/sindresorhus/file-type/security/advisories/GHSA-5v7r-6r5c-r473 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-31808 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-31808 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact