CVE-2026-31988 Overview
CVE-2026-31988 is a denial of service vulnerability affecting yauzl (Yet Another Unzip Library) version 3.2.0 for Node.js. The vulnerability stems from an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The flawed while loop condition checks cursor < data.length + 4 instead of the correct cursor + 4 <= data.length, allowing the readUInt16LE() function to read past the buffer boundary. This out-of-bounds read condition can be triggered by a remote attacker who sends a crafted zip file containing a malformed NTFS extra field, resulting in a process crash via an ERR_OUT_OF_RANGE exception.
Critical Impact
Remote attackers can crash Node.js applications that process zip file uploads by exploiting the off-by-one error to trigger an unhandled exception, causing service disruption.
Affected Products
- yauzl version 3.2.0 for Node.js
- Node.js applications using yauzl 3.2.0 that process zip file uploads
- Applications calling entry.getLastModDate() on parsed zip entries
Discovery Timeline
- 2026-03-11 - CVE-2026-31988 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-31988
Vulnerability Analysis
This vulnerability is classified under CWE-193 (Off-by-one Error), a common boundary condition error that occurs when an algorithm iterates one time too many or too few. In yauzl 3.2.0, the NTFS extended timestamp extra field parser within the getLastModDate() function contains a flawed loop boundary condition. The incorrect comparison allows the cursor to advance beyond safe buffer boundaries before the termination check occurs.
The root cause lies in the order of operations within the boundary check. By checking cursor < data.length + 4 rather than cursor + 4 <= data.length, the code fails to account for the space required to safely perform the subsequent readUInt16LE() operation. This allows reading 2 bytes beyond the allocated buffer when processing a specifically crafted NTFS extra field, triggering Node.js's built-in range protection and raising an ERR_OUT_OF_RANGE exception.
Root Cause
The vulnerability originates from an incorrect boundary validation in the while loop that parses NTFS extended timestamp data. The condition cursor < data.length + 4 is mathematically inverted from the safe check cursor + 4 <= data.length. This subtle difference means the loop can proceed even when insufficient bytes remain in the buffer for the next read operation. When an attacker provides a zip file with a truncated or malformed NTFS extra field, the parser attempts to read beyond buffer limits.
Attack Vector
The attack can be executed remotely over the network. An attacker constructs a malicious zip file containing an NTFS extra field with insufficient data bytes. When a vulnerable Node.js application receives this file and processes it using yauzl's entry.getLastModDate() method, the off-by-one error causes the parser to read beyond the buffer boundary.
The exploitation is straightforward since it only requires the ability to upload or transmit a zip file to a target application. No authentication is required, and user interaction is limited to normal file processing operations. The impact is constrained to availability—causing the Node.js process to crash with an unhandled exception—without directly compromising confidentiality or integrity.
Detection Methods for CVE-2026-31988
Indicators of Compromise
- Unexpected Node.js process crashes with ERR_OUT_OF_RANGE exceptions in application logs
- Stack traces pointing to yauzl's getLastModDate() function or NTFS timestamp parsing code
- Increased volume of zip file uploads with unusually small or malformed NTFS extra fields
- Application restarts correlating with zip file processing operations
Detection Strategies
- Monitor application logs for ERR_OUT_OF_RANGE exceptions specifically occurring during zip file processing
- Implement file upload validation to inspect NTFS extra field structures before passing to yauzl
- Deploy runtime application self-protection (RASP) solutions to detect buffer boundary violations
- Use software composition analysis (SCA) tools to identify yauzl version 3.2.0 in project dependencies
Monitoring Recommendations
- Configure alerting for repeated process crashes in Node.js applications handling zip uploads
- Monitor package.json and package-lock.json files for vulnerable yauzl versions across your environment
- Implement centralized logging to correlate crash events with incoming file upload requests
- Review npm audit outputs regularly for known vulnerabilities in dependencies
How to Mitigate CVE-2026-31988
Immediate Actions Required
- Upgrade yauzl to version 3.2.1 or later, which contains the fix for this vulnerability
- Run npm audit to identify all applications using the vulnerable yauzl version
- Implement input validation for zip files before processing with yauzl
- Consider adding try-catch blocks around getLastModDate() calls as a temporary defensive measure
Patch Information
The vulnerability has been fixed in yauzl version 3.2.1. The patch corrects the boundary condition in the while loop from cursor < data.length + 4 to cursor + 4 <= data.length, ensuring the readUInt16LE() operation cannot read beyond the buffer boundary. The fix is available via the GitHub commit.
Additional technical details are available from the Codeant Security Research, NPM Package Information, and VulnCheck Advisory.
Workarounds
- Wrap all calls to entry.getLastModDate() in try-catch blocks to gracefully handle exceptions
- Implement process supervisor tools (e.g., PM2, forever) to automatically restart crashed Node.js processes
- Use an alternative zip parsing library that does not exhibit this vulnerability until upgrade is possible
- Validate incoming zip files against a known-good structure before processing with yauzl
# Upgrade yauzl to patched version
npm update yauzl@3.2.1
# Verify installed version
npm list yauzl
# Run security audit on project dependencies
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
