Description

yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allowing readUInt16LE() to read past the buffer boundary. A remote attacker can cause a denial of service (process crash via ERR_OUT_OF_RANGE exception) by sending a crafted zip file with a malformed NTFS extra field. This affects any Node.js application that processes zip file uploads and calls entry.getLastModDate() on parsed entries. Fixed in version 3.2.1.

INFO

Published Date :

2026-03-11T22:58:48.863Z

Last Modified :

2026-03-11T22:58:48.863Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2026-31988 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-31988.

URL Resource
https://github.com/thejoshwolfe/yauzl/commit/c4695215b05c6adffda613b9051a2a85429b33fe cve-icon cve-icon
https://www.codeant.ai/security-research/yauzl-denial-of-service-zip-file-crash cve-icon cve-icon
https://www.npmjs.com/package/yauzl cve-icon cve-icon
https://www.vulncheck.com/advisories/yauzl-denial-of-service-via-off-by-one-error-in-ntfs-timestamp-parser cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact