Plattform
nodejs
Komponente
file-type
Behoben in
20.0.1
21.3.2
CVE-2026-32630 describes a Denial of Service (DoS) vulnerability within the file-type Node.js package. A maliciously crafted ZIP file can trigger excessive memory allocation during file type detection processes, leading to application instability and potential crashes. This vulnerability impacts versions of file-type prior to 21.3.2, and a fix has been released in version 21.3.2.
An attacker can exploit this vulnerability by providing a specially crafted ZIP file to an application utilizing the file-type package. The vulnerability lies in how file-type handles ZIP files when determining their type. Specifically, the fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile() functions are susceptible. While stream-based detection enforces a ZIP inflate output limit, this limit is not applied to known-size inputs. Consequently, a small compressed ZIP file can trigger the file-type package to inflate and process a significantly larger payload, resulting in excessive memory consumption. This can lead to resource exhaustion, application slowdowns, and ultimately, a denial of service. The potential blast radius depends on the application's resource limits and the number of concurrent requests.
This vulnerability was publicly disclosed on 2026-03-13. No known public proof-of-concept (PoC) exploits have been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 5.3 indicates a medium probability of exploitation, suggesting that while the vulnerability is serious, it may require some effort to exploit successfully.
Applications built on Node.js that rely on the file-type module for file type identification are at risk. This includes web applications, file processing services, and any system handling user-uploaded files. Legacy applications using older versions of file-type are particularly vulnerable, as are applications that do not perform adequate input validation on uploaded files.
• nodejs / server:
ps aux | grep file-type | grep -v grep | awk '{print $2}' | xargs -n 1 node -e 'const ft = require("file-type"); console.log(ft.fileType(Buffer.alloc(0).toString())' # Check for excessive memory usage during file type detection• generic web:
curl -I 'http://your-application/file-upload' # Check for file upload endpoints
grep -i 'zip' /var/log/apache2/access.log # Monitor for ZIP file uploadsdisclosure
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-32630 is to upgrade the file-type package to version 21.3.2 or later. This version includes a fix that enforces the ZIP inflate output limit for all input types, preventing the excessive memory growth. If upgrading is not immediately feasible, consider implementing input validation to restrict the size and type of files processed by the application. WAF rules could be implemented to block uploads of suspicious ZIP files based on size or other characteristics. Monitor memory usage within the application to detect potential DoS attacks. After upgrading, confirm the fix by attempting to process a known malicious ZIP file and verifying that memory usage remains within acceptable limits.
Aktualisieren Sie die file-type-Bibliothek auf Version 21.3.2 oder höher. Dies behebt die Denial-of-Service-Schwachstelle, die durch übermäßige ZIP-Dekomprimierung verursacht wird. Sie können mit npm oder yarn aktualisieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32630 is a denial-of-service vulnerability in the file-type Node.js module. A crafted ZIP file can cause excessive memory growth, potentially crashing the application.
You are affected if you are using a version of the file-type module prior to 21.3.2 and process user-supplied ZIP files.
Upgrade the file-type module to version 21.3.2 or later. Consider input validation as an interim measure.
There is currently no evidence of active exploitation, but the vulnerability is relatively simple to exploit.
Refer to the file-type module's repository or documentation for the official advisory and release notes.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.