CVE-2026-32630

Name of the Vulnerable Software and Affected Versions file-type versions 20.0.0 through 21.3.1

Description file-type detects the file type of a file, stream, or data. A crafted ZIP file can trigger excessive memory growth during type detection when using the fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile() APIs. The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. This allows a small compressed ZIP file to cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This is an availability issue, potentially causing applications to consume large amounts of memory, become slow, or crash. The issue stems from different limits being applied to ZIP detection based on whether the tokenizer had a known file size. For known-size inputs, Number.MAX SAFE INTEGER was used instead of a more appropriate limit, allowing a crafted ZIP to bypass the intended inflate limit. A ZIP file of approximately 255 KB can cause about 257 MB of RSS growth during fileTypeFromBuffer() on version 21.3.1. The affected APIs are fileTypeFromBuffer(), fileTypeFromBlob(), and fileTypeFromFile().

Recommendations file-type versions 20.0.0 through 21.3.1 should be updated to version 21.3.2 or later.