PT-2026-24893 · Root+4 · @Rootio/Yauzl+2
Josh Wolfe
+1
·
Published
2026-03-11
·
Updated
2026-04-03
·
CVE-2026-31988
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
yauzl version 3.2.0
Description
yauzl, also known as Yet Another Unzip Library, version 3.2.0 for Node.js contains an off-by-one error within the
getLastModDate() function, specifically in the NTFS extended timestamp extra field parser. The condition in a 'while' loop incorrectly checks cursor < data.length + 4 instead of cursor + 4 <= data.length, which allows the readUInt16LE() function to read beyond the buffer's boundaries. A remote attacker can exploit this by sending a specially crafted zip file containing a malformed NTFS extra field, leading to a denial of service and a process crash due to an ERR OUT OF RANGE exception. This impacts any Node.js application that processes zip file uploads and calls entry.getLastModDate() on the parsed entries.Recommendations
Update yauzl to version 3.2.1 or later.
Exploit
Fix
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Rootio/Yauzl
Node-Yauzl
Yauzl