CVE-2026-31808

Published: Mar 10, 2026

Modified: Mar 11, 2026

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever. Any application that uses file-type to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload. Fixed in version 21.3.1.

Vendor	Product	Versions
sindresorhus	file-type	affected `>= 13.0.0, < 21.3.1`

Weaknesses (CWE)

CWE-835

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

References

https://github.com/sindresorhus/file-type/security/advisories/GHSA-5v7r-6r5c-r473

x_refsource_CONFIRM

https://github.com/sindresorhus/file-type/commit/319abf871b50ba2fa221b4a7050059f1ae096f4f

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-31808

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References