CVE-2026-32630

MEDIUM

file-type affected by ZIP Decompression Bomb DoS via [Content_Types].xml entry

Title source: cna

Description

file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This vulnerability is fixed in 21.3.2.

References (2)

[X_Refsource_Confirm] https://github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v

[X_Refsource_Misc] https://github.com/sindresorhus/file-type/commit/399b0f156063f5aeb1c124a7fd61028f3ea7c124

View Writeup ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0008

EPSS Percentile 22.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-409

Status published

Products (3)

npm/file-type 20.0.0 - 21.3.2npm

sindresorhus/file-type 20.0.0 - 21.3.2

sindresorhus/file-type >= 20.0.0, < 21.3.2

Published Mar 16, 2026

Tracked Since Mar 16, 2026