file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header
Description
file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever. Any application that uses file-type to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload. Fixed in version 21.3.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An infinite loop in the ASF parser of file-type before 21.3.1 can be triggered by a 55-byte crafted payload, stalling the Node.js event loop.
Vulnerability
The file-type npm package prior to version 21.3.1 contains a denial-of-service (DoS) vulnerability in its ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever [1][2][3].
Exploitation
The vulnerability can be exploited with a minimal 55-byte payload. Any Node.js application that uses file-type to detect the type of untrusted or attacker-controlled input is affected. An attacker can send this small crafted input to stall the Node.js event loop, effectively causing a denial-of-service condition [2][4].
Impact
Successful exploitation causes the file type detection to hang indefinitely, blocking the event loop and making the application unresponsive. This can be leveraged to disrupt services relying on file-type for processing user-uploaded files or network streams [4]. The commit that fixes the issue adds a safeguard that breaks the loop if the tokenizer position does not advance [3].
Mitigation
The vulnerability is fixed in file-type version 21.3.1. Users should upgrade to this version or later. If immediate upgrade is not possible, workarounds include validating or limiting the size of input buffers before passing them to file-type, or running file type detection in a worker thread with a timeout [4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
file-typenpm | >= 13.0.0, < 21.3.1 | 21.3.1 |
Affected products
2- sindresorhus/file-typev5Range: >= 13.0.0, < 21.3.1
Patches
1319abf871b50Fix infinite loop in ASF parser on malformed input
2 files changed · +16 −0
core.js+6 −0 modified@@ -1415,6 +1415,7 @@ export class FileTypeParser { await tokenizer.ignore(30); // Search for header should be in first 1KB of file. while (tokenizer.position + 24 < tokenizer.fileInfo.size) { + const previousPosition = tokenizer.position; const header = await readHeader(); let payload = header.size - 24; if (_check(header.id, [0x91, 0x07, 0xDC, 0xB7, 0xB7, 0xA9, 0xCF, 0x11, 0x8E, 0xE6, 0x00, 0xC0, 0x0C, 0x20, 0x53, 0x65])) { @@ -1442,6 +1443,11 @@ export class FileTypeParser { } await tokenizer.ignore(payload); + + // Safeguard against malformed files: break if the position did not advance. + if (tokenizer.position <= previousPosition) { + break; + } } // Default to ASF generic extension
test.js+10 −0 modified@@ -1022,6 +1022,16 @@ test('stringToBytes encodes correctly for selected characters and encodings', t t.is(new TextDecoder('utf-16be').decode(new Uint8Array(stringToBytes('🦄', 'utf-16be'))), '🦄', 'Decoded value should match original value'); }); +test('Does not hang on crafted ASF file with zero-size sub-header', async t => { + const buffer = Buffer.from('3026b2758e66cf11a6d9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000', 'hex'); + const type = await fileTypeFromBuffer(buffer); + + t.deepEqual(type, { + ext: 'asf', + mime: 'application/vnd.ms-asf', + }); +}); + test('Does not crash or hang if provided with a partial gunzip file', async t => { const buffer = Uint8Array.from([31, 139, 8, 8, 137, 83, 29, 82, 0, 11]); const type = await fileTypeFromBuffer(buffer);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-5v7r-6r5c-r473ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31808ghsaADVISORY
- github.com/sindresorhus/file-type/commit/319abf871b50ba2fa221b4a7050059f1ae096f4fghsax_refsource_MISCWEB
- github.com/sindresorhus/file-type/security/advisories/GHSA-5v7r-6r5c-r473ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.