CVE-2026-32256

Name of the Vulnerable Software and Affected Versions music-metadata versions prior to 11.12.3

Description music-metadata is a metadata parser for audio and video media files. The ASF parser within music-metadata, specifically the parseExtensionObject() function in lib/asf/AsfParser.ts:112-158, can enter an infinite loop when processing an ASF Header Extension Object containing a sub-object with objectSize equal to 0. This occurs because the ignore() function within the tokenizer accepts negative values without validation, leading to a continuous re-reading of a 24-byte header. The affected methods are parseFile() and parseBuffer(). An estimated 2.2 million weekly npm downloads are potentially impacted. A crafted 100-byte .asf file can cause applications using parseFile() or parseBuffer() to hang indefinitely. The parseStream() function is not affected as it uses a different ignore() implementation that throws a RangeError.

Recommendations Versions prior to 11.12.3 should be updated to version 11.12.3 or later.