CVE-2026-32256

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-32256
music-metadata is a metadata parser for audio and video media files. Prior to version 11.12.3, music-metadata's ASF parser (`parseExtensionObject()` in `lib/asf/AsfParser.ts:112-158`) enters an infinite loop when a sub-object inside the ASF Header Extension Object has `objectSize = 0`. Version 11.12.3 fixes the issue.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/Borewit/music-metadata/releases/tag/v11.12.3 Product Release Notes
https://github.com/Borewit/music-metadata/security/advisories/GHSA-v6c2-xwv6-8xf7 Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:borewit:music-metadata:*:*:*:*:*:*:*:*
History

19 Mar 2026, 18:07

Type Values Removed Values Added
CPE cpe:2.3:a:borewit:music-metadata:*:*:*:*:*:*:*:*
First Time Borewit music-metadata
Borewit
References () https://github.com/Borewit/music-metadata/releases/tag/v11.12.3 - () https://github.com/Borewit/music-metadata/releases/tag/v11.12.3 - Product, Release Notes
References () https://github.com/Borewit/music-metadata/security/advisories/GHSA-v6c2-xwv6-8xf7 - () https://github.com/Borewit/music-metadata/security/advisories/GHSA-v6c2-xwv6-8xf7 - Mitigation, Vendor Advisory

18 Mar 2026, 14:52

Type Values Removed Values Added
Summary
  • (es) music-metadata es un analizador de metadatos para archivos multimedia de audio y video. Antes de la versión 11.12.3, el analizador ASF de music-metadata ('parseExtensionObject()' en 'lib/asf/AsfParser.ts:112-158') entra en un bucle infinito cuando un subobjeto dentro del Objeto de Extensión de Encabezado ASF tiene 'objectSize = 0'. La versión 11.12.3 corrige el problema.

18 Mar 2026, 04:17

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-18 04:17

Updated : 2026-03-19 18:07

NVD link : CVE-2026-32256

Mitre link : CVE-2026-32256

CVE.ORG link : CVE-2026-32256

JSON object : View

Products Affected

borewit

  • music-metadata
CWE
CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')