CVE-2026-32630

file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This vulnerability is fixed in 21.3.2.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/sindresorhus/file-type/commit/399b0f156063f5aeb1c124a7fd61028f3ea7c124	Patch
https://github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v	Exploit Vendor Advisory
https://github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sindresorhus:file-type:*:*:*:*:*:node.js:*:*

History

17 Jun 2026, 10:36

Type	Values Removed	Values Added
Summary		(es) file-type detecta el tipo de archivo de un archivo, flujo o datos. Desde 20.0.0 hasta 21.3.1, un archivo ZIP manipulado puede provocar un crecimiento excesivo de la memoria durante la detección de tipo en file-type al usar fileTypeFromBuffer(), fileTypeFromBlob() o fileTypeFromFile(). El límite de salida de descompresión ZIP se aplica para la detección basada en flujo, pero no para entradas de tamaño conocido. Como resultado, un ZIP comprimido pequeño puede hacer que file-type descomprima y procese una carga útil mucho mayor mientras sondea formatos basados en ZIP como OOXML. Esta vulnerabilidad está corregida en 21.3.2.

17 Mar 2026, 19:05

Type	Values Removed	Values Added
References	~~() https://github.com/sindresorhus/file-type/commit/399b0f156063f5aeb1c124a7fd61028f3ea7c124 -~~	() https://github.com/sindresorhus/file-type/commit/399b0f156063f5aeb1c124a7fd61028f3ea7c124 - Patch
References	~~() https://github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v -~~	() https://github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v - Exploit, Vendor Advisory
CPE		cpe:2.3:a:sindresorhus:file-type::::::node.js::*
First Time		Sindresorhus file-type Sindresorhus

16 Mar 2026, 18:16

Type	Values Removed	Values Added
References	~~() https://github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v -~~	() https://github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v -

16 Mar 2026, 14:19

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-16 14:19

Updated : 2026-06-17 10:36

NVD link : CVE-2026-32630

Mitre link : CVE-2026-32630

CVE.ORG link : CVE-2026-32630

JSON object : View

Products Affected

sindresorhus

file-type

CWE

CWE-409

Improper Handling of Highly Compressed Data (Data Amplification)

5.3 /10