CVE-2026-32256

CVSS v3.1

7.5

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

music-metadata's ASF parser (parseExtensionObject() in lib/asf/AsfParser.ts:112-158) enters an infinite loop when a sub-object inside the ASF Header Extension Object has objectSize = 0.

Root Cause

When objectSize is 0:

remaining = 0 - 24 = -24
tokenizer.ignore(-24) moves the read position backward by 24 bytes
extensionSize -= 0 (loop counter never decreases)
while (extensionSize > 0) never exits
The same 24-byte header is re-read infinitely

This is the same pattern as CVE-2026-31808 (GHSA-5v7r-6r5c-r473) in file-type — strtok3's AbstractTokenizer.ignore() accepts negative values without validation.

Affected Methods

parseFile() — HANGS (FileTokenizer inherits vulnerable ignore())
parseBuffer() — HANGS (BufferTokenizer inherits vulnerable ignore())
parseStream() — NOT affected (ReadStreamTokenizer has own ignore() that throws RangeError)

Impact

A 100-byte crafted .asf file permanently hangs any application using parseFile() or parseBuffer(). music-metadata has 2.2M weekly npm downloads.

Suggested Fix

Validate objectSize >= minimumHeaderSize before calculating the payload. Or fix strtok3's AbstractTokenizer.ignore() to reject negative values.

Fix

Infinite Loop

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-835

Related Identifiers

CVE-2026-32256

GHSA-V6C2-XWV6-8XF7

Affected Products

Music-Metadata

CVE-2026-32256

Summary

Root Cause

Affected Methods

Impact

Suggested Fix

Weakness Enumeration

Related Identifiers

Affected Products

References · 5