CVE-2026-31988
Description
yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allowing readUInt16LE() to read past the buffer boundary. A remote attacker can cause a denial of service (process crash via ERR_OUT_OF_RANGE exception) by sending a crafted zip file with a malformed NTFS extra field. This affects any Node.js application that processes zip file uploads and calls entry.getLastModDate() on parsed entries. Fixed in version 3.2.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yauzlnpm | >= 3.2.0, < 3.2.1 | 3.2.1 |
Affected products
74- osv-coords74 versionspkg:apk/chainguard/code-serverpkg:apk/chainguard/foxx-clipkg:apk/chainguard/gemini-clipkg:apk/chainguard/kibana-7pkg:apk/chainguard/kibana-8.17pkg:apk/chainguard/kibana-8.17-bitnamipkg:apk/chainguard/kibana-8.17-iamguardedpkg:apk/chainguard/kibana-8.18pkg:apk/chainguard/kibana-8.18-bitnamipkg:apk/chainguard/kibana-8.18-iamguardedpkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-bitnamipkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-bitnamipkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/langfuse-2-workerpkg:apk/chainguard/langfuse-fips-2-workerpkg:apk/chainguard/librechatpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-2-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-2-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-2-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-2-dashboards-visualizationspkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/opensearch-dashboards-2-fips-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-visualizationspkg:apk/chainguard/opensearch-dashboards-2-fips-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-2-fips-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-security-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-2-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-security-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-3pkg:apk/chainguard/opensearch-dashboards-3-fipspkg:apk/chainguard/renovatepkg:apk/wolfi/code-serverpkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/opensearch-dashboards-2-alerting-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-anomaly-detection-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-dashboards-mapspkg:apk/wolfi/opensearch-dashboards-2-dashboards-notificationspkg:apk/wolfi/opensearch-dashboards-2-dashboards-observabilitypkg:apk/wolfi/opensearch-dashboards-2-dashboards-query-workbenchpkg:apk/wolfi/opensearch-dashboards-2-dashboards-reportingpkg:apk/wolfi/opensearch-dashboards-2-dashboards-search-relevancepkg:apk/wolfi/opensearch-dashboards-2-dashboards-visualizationspkg:apk/wolfi/opensearch-dashboards-2-index-management-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-ml-commons-dashboardspkg:apk/wolfi/opensearch-dashboards-2-security-analytics-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-security-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-3pkg:apk/wolfi/renovatepkg:npm/yauzl
< 4.110.1-r1+ 73 more
- (no CPE)range: < 4.110.1-r1
- (no CPE)range: < 2.1.1-r4
- (no CPE)range: < 0.33.2-r0
- (no CPE)range: < 7.17.29-r7
- (no CPE)range: < 8.17.10-r12
- (no CPE)range: < 8.17.10-r12
- (no CPE)range: < 8.17.10-r12
- (no CPE)range: < 8.18.8-r10
- (no CPE)range: < 8.18.8-r10
- (no CPE)range: < 8.18.8-r10
- (no CPE)range: < 8.19.13-r0
- (no CPE)range: < 8.19.13-r0
- (no CPE)range: < 8.19.13-r0
- (no CPE)range: < 9.0.8-r13
- (no CPE)range: < 9.0.8-r13
- (no CPE)range: < 9.0.8-r13
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.2.7-r0
- (no CPE)range: < 9.2.6-r3
- (no CPE)range: < 9.3.2-r0
- (no CPE)range: < 9.3.2-r0
- (no CPE)range: < 2.95.12-r13
- (no CPE)range: < 2.95.12-r16
- (no CPE)range: < 0.8.4-r3
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r0
- (no CPE)range: < 2.19.5-r0
- (no CPE)range: < 2.19.5-r0
- (no CPE)range: < 2.19.5-r0
- (no CPE)range: < 2.19.5-r0
- (no CPE)range: < 2.19.5-r0
- (no CPE)range: < 2.19.5-r0
- (no CPE)range: < 2.19.5-r0
- (no CPE)range: < 2.19.5-r0
- (no CPE)range: < 2.19.5-r0
- (no CPE)range: < 2.19.5-r0
- (no CPE)range: < 2.19.5-r0
- (no CPE)range: < 2.19.5-r0
- (no CPE)range: < 2.19.5-r0
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 3.5.0-r8
- (no CPE)range: < 3.5.0-r5
- (no CPE)range: < 43.77.0-r0
- (no CPE)range: < 4.110.1-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 3.5.0-r8
- (no CPE)range: < 43.77.0-r0
- (no CPE)range: >= 3.2.0, < 3.2.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-gmq8-994r-jv83ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31988ghsaADVISORY
- github.com/thejoshwolfe/yauzl/commit/c4695215b05c6adffda613b9051a2a85429b33fenvdWEB
- www.codeant.ai/security-research/yauzl-denial-of-service-zip-file-crashnvdWEB
- www.npmjs.com/package/yauzlnvdWEB
- www.vulncheck.com/advisories/yauzl-denial-of-service-via-off-by-one-error-in-ntfs-timestamp-parsernvdWEB
News mentions
0No linked articles in our index yet.