CVE-2026-32630

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L                                    

Vulnerability Description

file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This vulnerability is fixed in 21.3.2.

Vulnerability Details

Published Date

March 13, 2026

Last Modified

March 17, 2026

CWE ID

CWE-409

Source

GitHub

Vendor

npm

Product

file-type

External References

https://github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v
https://github.com/sindresorhus/file-type/commit/a155cd71323279de173c54e8c530d300d3854fdd
https://github.com/sindresorhus/file-type/releases/tag/v21.3.2
https://github.com/advisories/GHSA-j47w-4g3g-c36v

CVE-2026-32630

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment