Description
An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack.
References (4)
Core 4
Core References
Product, Third Party Advisory x_refsource_misc
https://www.npmjs.com/package/file-type
Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/sindresorhus/file-type/releases/tag/v17.1.3
Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/sindresorhus/file-type/releases/tag/v16.5.4
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220909-0005/
Scores
CVSS v3
5.5
EPSS
0.0038
EPSS Percentile
29.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Details
CWE
CWE-835
Status
published
Products (3)
file-type_project/file-type
< 16.5.4
npm/file-type
13.0.0 - 16.5.4npm
sindresorhus/file-type
< 16.5.4
Published
Jul 21, 2022
Tracked Since
Feb 18, 2026