Platform
nodejs
Component
file-type
Fixed in
20.0.1
21.3.2
CVE-2026-32630 describes a Denial of Service (DoS) vulnerability within the file-type Node.js module. A maliciously crafted ZIP archive can trigger excessive memory allocation during file type detection processes like fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). This can lead to application instability and potential crashes, particularly in applications relying on accurate file type identification. The vulnerability impacts versions of file-type prior to 21.3.2, and a fix is available in version 21.3.2.
The primary impact of CVE-2026-32630 is a denial of service. An attacker can exploit this vulnerability by sending a specially crafted ZIP file to an application using the vulnerable file-type module. The file-type library, attempting to determine the file type, will inflate the ZIP archive, consuming significant memory resources. The description notes that a relatively small (255 KB) ZIP file can trigger the allocation of a much larger payload (257 MB) during the detection process. This excessive memory consumption can exhaust available resources, leading to application slowdowns, crashes, or even system instability. The blast radius extends to any application processing user-supplied files and utilizing the file-type module for file type identification.
CVE-2026-32630 was publicly disclosed on 2026-03-13. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. Public proof-of-concept (PoC) code is not currently available, but the vulnerability's relatively simple exploitation vector suggests that PoCs may emerge. The vulnerability's impact is primarily denial of service, making it less attractive to attackers seeking data exfiltration or remote code execution.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32630 is to upgrade the file-type module to version 21.3.2 or later. This version includes a fix that properly enforces the ZIP inflate output limit for all input types, preventing the excessive memory growth. If upgrading is not immediately feasible, consider implementing input validation to restrict the size and type of files processed by the application. Additionally, consider deploying a Web Application Firewall (WAF) or proxy that can inspect incoming files and block those with suspicious ZIP archive characteristics. While no specific Sigma or YARA rules are readily available, monitoring memory usage during file type detection can provide an early warning sign of exploitation.
Update the file-type library to version 21.3.2 or higher. This fixes the denial-of-service vulnerability caused by excessive ZIP decompression. You can update using npm or yarn.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32630 is a denial-of-service vulnerability in the file-type Node.js module. A crafted ZIP file can cause excessive memory growth, potentially crashing the application.
You are affected if you are using a version of the file-type module prior to 21.3.2 and process user-supplied ZIP files.
Upgrade the file-type module to version 21.3.2 or later. Consider input validation as an interim measure.
There is currently no evidence of active exploitation, but the vulnerability is relatively simple to exploit.
Refer to the file-type module's repository or documentation for the official advisory and release notes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.