The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32630

CVE-2026-32630: Sindresorhus File-type DoS Vulnerability

CVE-2026-32630 is a denial of service flaw in Sindresorhus File-type that allows crafted ZIP files to trigger excessive memory growth during detection. This article covers technical details, affected versions, and mitigation.

Published: March 20, 2026

CVE-2026-32630 Overview

CVE-2026-32630 is a resource exhaustion vulnerability in the popular file-type npm package, which is used to detect file types from files, streams, or data buffers. The vulnerability affects versions 20.0.0 through 21.3.1 and allows attackers to trigger excessive memory growth during type detection by supplying a specially crafted ZIP file.

The issue occurs when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile() functions. While the ZIP inflate output limit is properly enforced for stream-based detection, it is not enforced for known-size inputs. This allows a small compressed ZIP file to cause file-type to inflate and process a disproportionately larger payload while probing ZIP-based formats such as OOXML (Office Open XML).

Critical Impact

Applications processing user-uploaded files using the file-type package may experience denial of service through memory exhaustion when handling malicious ZIP files.

Affected Products

  • sindresorhus file-type versions 20.0.0 to 21.3.1
  • Node.js applications using vulnerable file-type versions
  • Applications processing ZIP or OOXML file uploads using file-type detection

Discovery Timeline

  • 2026-03-16 - CVE CVE-2026-32630 published to NVD
  • 2026-03-17 - Last updated in NVD database

Technical Details for CVE-2026-32630

Vulnerability Analysis

This vulnerability is classified as CWE-409: Improper Handling of Highly Compressed Data (Data Amplification). The root issue lies in an inconsistency in how the file-type library handles decompression limits across different input methods.

When file-type receives input via streaming APIs, it enforces an output limit on ZIP inflation to prevent memory exhaustion. However, when the same library processes known-size inputs through fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(), this protective limit is bypassed. This creates an exploitable condition where attackers can craft a ZIP file with a high compression ratio (a "ZIP bomb" variant) that appears small but expands dramatically when processed.

The vulnerability is particularly concerning for applications that handle OOXML formats (.docx, .xlsx, .pptx), as these are ZIP-based and file-type must partially inflate them to determine the file type. An attacker could upload a seemingly innocuous Office document that triggers the memory exhaustion during type detection.

Root Cause

The vulnerability stems from missing output limit enforcement in the code paths handling non-stream inputs. The fileTypeFromBuffer(), fileTypeFromBlob(), and fileTypeFromFile() functions do not apply the same ZIP inflate output restrictions that protect the streaming API. This architectural inconsistency allows the inflation process to consume unbounded memory when processing maliciously crafted compressed data.

Attack Vector

The attack is network-exploitable and requires no authentication or user interaction. An attacker simply needs to submit a crafted ZIP file (or ZIP-based format like OOXML) to any application endpoint that uses the vulnerable file-type functions for file type detection. The attack could target:

  • File upload handlers that validate file types before processing
  • Content management systems detecting media types
  • Document processing pipelines that inspect incoming files
  • Any Node.js service using file-type for MIME type detection

The attack payload is a small, highly compressed ZIP file that inflates to a much larger size, causing memory growth proportional to the uncompressed content size rather than the input size.

Detection Methods for CVE-2026-32630

Indicators of Compromise

  • Unusual memory consumption spikes in Node.js processes handling file uploads
  • Process crashes due to out-of-memory errors when processing seemingly small ZIP or OOXML files
  • Slow or unresponsive file processing endpoints
  • Logs showing file-type operations timing out or failing during ZIP-based format detection

Detection Strategies

  • Monitor Node.js process memory usage for sudden growth when processing uploaded files
  • Implement file size validation before passing files to file-type detection functions
  • Add logging around file-type function calls to correlate memory events with specific files
  • Use application performance monitoring (APM) to track memory allocation patterns during file processing

Monitoring Recommendations

  • Set up alerts for Node.js heap memory exceeding expected thresholds during file processing
  • Monitor for repeated service restarts that could indicate DoS conditions
  • Track file upload sizes versus processing memory consumption ratios
  • Implement circuit breakers on file processing endpoints to prevent cascading failures

How to Mitigate CVE-2026-32630

Immediate Actions Required

  • Upgrade the file-type package to version 21.3.2 or later immediately
  • Review all code paths using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile()
  • Implement input file size limits before type detection
  • Consider adding memory limits to Node.js processes handling file uploads as a defense-in-depth measure

Patch Information

The vulnerability is fixed in file-type version 21.3.2. The patch enforces consistent ZIP inflate output limits across all input methods, eliminating the disparity between stream-based and buffer-based detection. The fix is available via the GitHub commit 399b0f156063f5aeb1c124a7fd61028f3ea7c124.

For detailed information about the vulnerability and the fix, refer to the GitHub Security Advisory GHSA-j47w-4g3g-c36v.

Workarounds

  • Implement strict file size limits (e.g., reject files over a reasonable threshold) before passing to file-type
  • Use stream-based detection via fileTypeFromStream() which properly enforces output limits
  • Add process-level memory limits using Node.js --max-old-space-size flag to contain potential memory exhaustion
  • Consider pre-validating file extensions before invoking file-type detection as a first-pass filter
bash
# Configuration example
# Update file-type to the patched version
npm update file-type@21.3.2

# Alternatively, install the specific patched version
npm install file-type@21.3.2 --save

# Set Node.js memory limits as defense-in-depth
node --max-old-space-size=512 app.js

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechSindresorhus File Type
  • SeverityMEDIUM
  • CVSS Score5.3
  • EPSS Probability0.05%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-409
  • Vendor Resources
  • GitHub Commit Update
  • GitHub Security Advisory GHSA-j47w-4g3g-c36v
  • Latest CVEs
  • CVE-2026-40322: SiYuan Knowledge Management RCE Vulnerability
  • CVE-2026-40318: SiYuan Path Traversal Vulnerability
  • CVE-2026-40259: SiYuan Auth Bypass Vulnerability
  • CVE-2026-40255: AdonisJS HTTP Server CSRF Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English