Platform
nodejs
Component
file-type
Fixed in
13.0.1
21.3.1
CVE-2026-31808 describes a denial-of-service (DoS) vulnerability within the file-type module for Node.js. This flaw arises from an infinite loop triggered when parsing specially crafted ASF (WMV/WMA) files. An attacker can exploit this to stall the Node.js event loop, potentially impacting application availability. The vulnerability affects versions prior to 21.3.1, and a fix is available in version 21.3.1.
The primary impact of CVE-2026-31808 is a denial-of-service condition. An attacker can craft a malicious ASF file containing a sub-header with a size field of zero. When the file-type module attempts to parse this file, it enters an infinite loop, consuming significant CPU resources and effectively freezing the Node.js event loop. This can lead to application unresponsiveness, service outages, and potential exploitation of other vulnerabilities if the application is unable to respond to legitimate requests. The attack requires only the ability to provide a crafted file to the application, making it relatively easy to exploit.
CVE-2026-31808 was publicly disclosed on 2026-03-10. No known public proof-of-concept (PoC) exploits are currently available, but the vulnerability's simplicity suggests that a PoC could be developed relatively easily. The EPSS score is likely to be assessed as low to medium probability due to the need for controlled file input, but the potential impact warrants attention. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-31808 is to upgrade the file-type module to version 21.3.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation to reject ASF files with zero-sized sub-headers. While not a complete solution, this can reduce the attack surface. Additionally, implement rate limiting on file uploads to prevent an attacker from overwhelming the system with malicious files. After upgrading, confirm the fix by attempting to parse a known malicious ASF file (if available) and verifying that the application does not enter an infinite loop.
Update the `file-type` dependency to version 21.3.1 or higher. This corrects the denial of service vulnerability caused by an infinite loop when processing malformed ASF files. Run `npm install file-type@latest` or `yarn upgrade file-type` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31808 is a denial-of-service vulnerability in the file-type Node.js module, allowing an attacker to stall the event loop by providing a crafted ASF file.
You are affected if you are using a version of the file-type module prior to 21.3.1 and handle untrusted ASF files.
Upgrade the file-type module to version 21.3.1 or later. If upgrading is not possible, implement input validation to reject ASF files with zero-sized sub-headers.
There are currently no confirmed reports of active exploitation, but the vulnerability's simplicity suggests it could be exploited.
Refer to the official Node.js security advisories and the file-type module's repository for updates and information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.