CVE-2026-31808: file-type Library DoS Vulnerability

CVE-2026-31808 Overview

CVE-2026-31808 is a Denial of Service vulnerability affecting the file-type npm package, a popular library used to detect the file type of files, streams, or data in Node.js applications. The vulnerability exists in the ASF (WMV/WMA) file type detection parser, where parsing a crafted input with a zero-sized ASF sub-header causes the parser to enter an infinite loop, effectively stalling the Node.js event loop.

Critical Impact

An attacker can completely stall a Node.js application's event loop with a specially crafted 55-byte payload, causing denial of service for all users of the affected application.

Affected Products

• file-type npm package versions prior to 21.3.1
• Node.js applications using vulnerable file-type versions for file type detection
• Any application processing untrusted or attacker-controlled file input with file-type

Discovery Timeline

• 2026-03-10 - CVE CVE-2026-31808 published to NVD
• 2026-03-11 - Last updated in NVD database

Technical Details for CVE-2026-31808

Vulnerability Analysis

This vulnerability is classified as CWE-835 (Loop with Unreachable Exit Condition), commonly known as an infinite loop vulnerability. The flaw resides in the ASF file format parser used to detect Windows Media Video (WMV) and Windows Media Audio (WMA) files.

The root issue occurs when the parser encounters an ASF sub-header with a size field explicitly set to zero. Under normal circumstances, the parser reads a sub-header, processes its payload based on the declared size, and advances the read position to the next sub-header. However, when the size field is zero, the calculated payload value becomes negative (-24 bytes). This negative value is passed to tokenizer.ignore(payload), which instead of advancing the read position forward, moves it backward. This causes the parser to repeatedly read the same malformed sub-header indefinitely, creating an infinite loop condition.

The attack surface is significant because file-type is widely used in Node.js applications for content validation, file upload processing, and media handling. Any application that processes untrusted file uploads or streams without size or timeout limits is potentially vulnerable.

Root Cause

The root cause is insufficient validation of the ASF sub-header size field before arithmetic operations. When the size field is zero, the calculation for the payload offset produces a negative value. The tokenizer.ignore() function does not properly handle or reject negative input values, resulting in backward seeking rather than forward advancement through the data stream.

Attack Vector

The attack exploits the network-accessible nature of applications that accept file uploads or process remote file streams. An attacker can craft a minimal 55-byte payload containing a malformed ASF header with a zero-sized sub-header field. When this payload is processed by the vulnerable file-type library, the parsing logic enters an infinite loop. Since Node.js operates on a single-threaded event loop model, this infinite loop blocks all other operations in the application, effectively causing a complete denial of service.

The attack requires no authentication or special privileges—any user or external system capable of submitting file data to the application can trigger the vulnerability. The technical complexity is low, as the malicious payload is minimal and well-documented in the security advisory.

Detection Methods for CVE-2026-31808

Indicators of Compromise

• Unusual CPU spikes in Node.js processes processing file uploads or streams
• Application hangs or timeouts specifically when handling WMV/WMA files or ASF-formatted content
• Event loop lag metrics showing sustained blocking in file processing operations
• Presence of small (approximately 55 bytes) ASF-formatted files with malformed header structures

Detection Strategies

• Monitor Node.js event loop lag metrics for anomalous blocking behavior
• Implement application-level logging around file-type detection operations to identify processing delays
• Use software composition analysis (SCA) tools to identify vulnerable versions of the file-type package in your dependency tree
• Review application logs for repeated or stalled file processing requests from the same source

Monitoring Recommendations

• Configure alerting on CPU utilization thresholds for Node.js worker processes
• Implement request timeout policies for file upload and processing endpoints
• Deploy application performance monitoring (APM) to detect event loop blocking
• Establish baseline metrics for file processing duration to identify anomalies

How to Mitigate CVE-2026-31808

Immediate Actions Required

• Update the file-type package to version 21.3.1 or later immediately
• Audit all Node.js applications in your environment for usage of the vulnerable library
• Implement request timeouts on all file processing endpoints as a defense-in-depth measure
• Review and restrict file upload capabilities to trusted users where possible

Patch Information

The vulnerability has been fixed in file-type version 21.3.1. The fix addresses the infinite loop condition by properly validating the ASF sub-header size field before performing payload calculations. Organizations should update their package dependencies and deploy the patched version as soon as possible. The fix commit is available in the GitHub commit, and full details are documented in the GitHub Security Advisory GHSA-5v7r-6r5c-r473.

Workarounds

• Implement processing timeouts using worker threads or child processes to isolate file detection operations
• Add file size validation before processing to reject suspiciously small files claiming to be media containers
• Use alternative file type detection methods that do not rely on deep parsing for untrusted input
• Deploy rate limiting on file upload endpoints to limit the impact of potential attacks

# Update file-type package to patched version
npm update file-type@21.3.1

# Verify the installed version
npm list file-type

# For yarn users
yarn upgrade file-type@21.3.1