Plattform
nodejs
Komponente
file-type
Behoben in
13.0.1
21.3.1
CVE-2026-31808 describes a denial-of-service (DoS) vulnerability within the file-type module, a component used in Node.js applications for file type detection. An attacker can exploit this by providing a specially crafted ASF (WMV/WMA) file, leading to a stall in the Node.js event loop. This vulnerability impacts applications using file-type to process untrusted input and is resolved in version 21.3.1.
The vulnerability stems from how the file-type module parses ASF (Windows Media Video/Audio) files. When encountering a sub-header with a size field of zero, the parser enters an infinite loop. This is caused by a negative payload value (-24) leading to repeated reading of the same sub-header. The consequence is a complete stall of the Node.js event loop, effectively rendering the application unresponsive. This can lead to service disruption and potential exploitation of other vulnerabilities if the application is unable to respond to legitimate requests. The attack requires only a 55-byte crafted payload, making it relatively easy to construct and deploy.
CVE-2026-31808 was publicly disclosed on 2026-03-10. There is no indication of active exploitation or KEV listing at the time of writing. No public proof-of-concept (PoC) code has been released, but the vulnerability's simplicity suggests that a PoC could be developed relatively easily. The CVSS score of 5.3 (MEDIUM) reflects the potential for denial-of-service impact.
Applications that rely on the file-type module to determine file types, particularly those handling untrusted or attacker-controlled input, are at risk. This includes web applications with file upload functionality, media processing services, and any Node.js application utilizing the file-type module for file type detection.
• nodejs / server:
npm list file-typeThis command will list the installed version of the file-type module. If the version is less than 21.3.1, the system is vulnerable.
• nodejs / server:
journalctl -u nodejs | grep -i "file-type"Monitor Node.js logs for any errors or unusual activity related to the file-type module, particularly around file parsing.
• generic web:
Inspect file upload endpoints for proper ASF file validation. Ensure that the size field of ASF sub-headers is validated to prevent zero-sized values.
disclosure
Exploit-Status
EPSS
0.03% (8% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-31808 is to upgrade the file-type module to version 21.3.1 or later. This version includes a fix that prevents the infinite loop. If upgrading is not immediately feasible, consider implementing input validation to reject ASF files from untrusted sources. While a WAF or proxy cannot directly prevent this vulnerability, they can be configured to block requests containing suspicious ASF file extensions or patterns. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring for prolonged Node.js event loop stalls can indicate exploitation.
Actualice la dependencia `file-type` a la versión 21.3.1 o superior. Esto corrige la vulnerabilidad de denegación de servicio causada por un bucle infinito al procesar archivos ASF malformados. Ejecute `npm install file-type@latest` o `yarn upgrade file-type` para actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-31808 is a denial-of-service vulnerability in the file-type Node.js module, allowing an attacker to stall the event loop by providing a crafted ASF file.
You are affected if you are using a version of the file-type module prior to 21.3.1 and handle untrusted ASF files.
Upgrade the file-type module to version 21.3.1 or later. If upgrading is not possible, implement input validation to reject ASF files with zero-sized sub-headers.
There are currently no confirmed reports of active exploitation, but the vulnerability's simplicity suggests it could be exploited.
Refer to the official Node.js security advisories and the file-type module's repository for updates and information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.