CVE-2026-31808

Name of the Vulnerable Software and Affected Versions file-type versions prior to 21.3.1

Description A denial of service issue exists in the ASF (WMV/WMA) file type detection parser within file-type. When processing a specially crafted input where an ASF sub-header has a size field of zero, the parser gets stuck in an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, repeatedly reading the same sub-header. Applications utilizing file-type to detect the type of untrusted input are susceptible. An attacker can disrupt the Node.js event loop with a 55-byte payload.

Recommendations Update to version 21.3.1 or later.