Description

file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This vulnerability is fixed in 21.3.2.

INFO

Published Date :

2026-03-13T20:54:16.960Z

Last Modified :

2026-03-16T16:59:36.473Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32630 vulnerability.

Vendors Products
Sindresorhus
  • File-type
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32630.

URL Resource
https://github.com/sindresorhus/file-type/commit/399b0f156063f5aeb1c124a7fd61028f3ea7c124 cve-icon cve-icon cve-icon
https://github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v cve-icon cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-32630 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-32630 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact