प्लेटफ़ॉर्म
nodejs
घटक
file-type
में ठीक किया गया
13.0.1
21.3.1
CVE-2026-31808 describes a denial-of-service (DoS) vulnerability within the file-type module for Node.js. This flaw arises from an infinite loop triggered when parsing specially crafted ASF (WMV/WMA) files. An attacker can exploit this to stall the Node.js event loop, potentially impacting application availability. The vulnerability affects versions prior to 21.3.1, and a fix is available in version 21.3.1.
The primary impact of CVE-2026-31808 is a denial-of-service condition. An attacker can craft a malicious ASF file containing a sub-header with a size field of zero. When the file-type module attempts to parse this file, it enters an infinite loop, consuming significant CPU resources and effectively freezing the Node.js event loop. This can lead to application unresponsiveness, service outages, and potential exploitation of other vulnerabilities if the application is unable to respond to legitimate requests. The attack requires only the ability to provide a crafted file to the application, making it relatively easy to exploit.
CVE-2026-31808 was publicly disclosed on 2026-03-10. No known public proof-of-concept (PoC) exploits are currently available, but the vulnerability's simplicity suggests that a PoC could be developed relatively easily. The EPSS score is likely to be assessed as low to medium probability due to the need for controlled file input, but the potential impact warrants attention. It is not currently listed on the CISA KEV catalog.
Applications that rely on the file-type module to determine file types, particularly those handling untrusted or attacker-controlled input, are at risk. This includes web applications with file upload functionality, media processing services, and any Node.js application utilizing the file-type module for file type detection.
• nodejs / server:
npm list file-typeThis command will list the installed version of the file-type module. If the version is less than 21.3.1, the system is vulnerable.
• nodejs / server:
journalctl -u nodejs | grep -i "file-type"Monitor Node.js logs for any errors or unusual activity related to the file-type module, particularly around file parsing.
• generic web:
Inspect file upload endpoints for proper ASF file validation. Ensure that the size field of ASF sub-headers is validated to prevent zero-sized values.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.03% (8% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-31808 is to upgrade the file-type module to version 21.3.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation to reject ASF files with zero-sized sub-headers. While not a complete solution, this can reduce the attack surface. Additionally, implement rate limiting on file uploads to prevent an attacker from overwhelming the system with malicious files. After upgrading, confirm the fix by attempting to parse a known malicious ASF file (if available) and verifying that the application does not enter an infinite loop.
Actualice la dependencia `file-type` a la versión 21.3.1 o superior. Esto corrige la vulnerabilidad de denegación de servicio causada por un bucle infinito al procesar archivos ASF malformados. Ejecute `npm install file-type@latest` o `yarn upgrade file-type` para actualizar.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-31808 is a denial-of-service vulnerability in the file-type Node.js module, allowing an attacker to stall the event loop by providing a crafted ASF file.
You are affected if you are using a version of the file-type module prior to 21.3.1 and handle untrusted ASF files.
Upgrade the file-type module to version 21.3.1 or later. If upgrading is not possible, implement input validation to reject ASF files with zero-sized sub-headers.
There are currently no confirmed reports of active exploitation, but the vulnerability's simplicity suggests it could be exploited.
Refer to the official Node.js security advisories and the file-type module's repository for updates and information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।