Vulnerability Details CVE-2026-31808
file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever. Any application that uses file-type to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload. Fixed in version 21.3.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 18.0%
CVSS Severity
CVSS v3 Score 5.3
References
Products affected by CVE-2026-31808
-
cpe:2.3:a:sindresorhus:file-type:13.0.0
-
cpe:2.3:a:sindresorhus:file-type:13.0.1
-
cpe:2.3:a:sindresorhus:file-type:13.0.2
-
cpe:2.3:a:sindresorhus:file-type:13.0.3
-
cpe:2.3:a:sindresorhus:file-type:13.1.0
-
cpe:2.3:a:sindresorhus:file-type:13.1.1
-
cpe:2.3:a:sindresorhus:file-type:13.1.2
-
cpe:2.3:a:sindresorhus:file-type:14.0.0
-
cpe:2.3:a:sindresorhus:file-type:14.1.0
-
cpe:2.3:a:sindresorhus:file-type:14.1.1
-
cpe:2.3:a:sindresorhus:file-type:14.1.2
-
cpe:2.3:a:sindresorhus:file-type:14.1.3
-
cpe:2.3:a:sindresorhus:file-type:14.1.4
-
cpe:2.3:a:sindresorhus:file-type:14.2.0
-
cpe:2.3:a:sindresorhus:file-type:14.3.0
-
cpe:2.3:a:sindresorhus:file-type:14.4.0
-
cpe:2.3:a:sindresorhus:file-type:14.5.0
-
cpe:2.3:a:sindresorhus:file-type:14.6.0
-
cpe:2.3:a:sindresorhus:file-type:14.6.1
-
cpe:2.3:a:sindresorhus:file-type:14.6.2
-
cpe:2.3:a:sindresorhus:file-type:14.7.0
-
cpe:2.3:a:sindresorhus:file-type:14.7.1
-
cpe:2.3:a:sindresorhus:file-type:15.0.0
-
cpe:2.3:a:sindresorhus:file-type:15.0.1
-
cpe:2.3:a:sindresorhus:file-type:16.0.0
-
cpe:2.3:a:sindresorhus:file-type:16.0.1
-
cpe:2.3:a:sindresorhus:file-type:16.1.0
-
cpe:2.3:a:sindresorhus:file-type:16.2.0
-
cpe:2.3:a:sindresorhus:file-type:16.3.0
-
cpe:2.3:a:sindresorhus:file-type:16.4.0
-
cpe:2.3:a:sindresorhus:file-type:16.5.0
-
cpe:2.3:a:sindresorhus:file-type:16.5.1
-
cpe:2.3:a:sindresorhus:file-type:16.5.2
-
cpe:2.3:a:sindresorhus:file-type:16.5.3
-
cpe:2.3:a:sindresorhus:file-type:16.5.4
-
cpe:2.3:a:sindresorhus:file-type:17.0.0
-
cpe:2.3:a:sindresorhus:file-type:17.0.1
-
cpe:2.3:a:sindresorhus:file-type:17.0.2
-
cpe:2.3:a:sindresorhus:file-type:17.1.0
-
cpe:2.3:a:sindresorhus:file-type:17.1.1
-
cpe:2.3:a:sindresorhus:file-type:17.1.2
-
cpe:2.3:a:sindresorhus:file-type:17.1.3
-
cpe:2.3:a:sindresorhus:file-type:17.1.4
-
cpe:2.3:a:sindresorhus:file-type:17.1.5
-
cpe:2.3:a:sindresorhus:file-type:17.1.6
-
cpe:2.3:a:sindresorhus:file-type:18.0.0
-
cpe:2.3:a:sindresorhus:file-type:18.1.0
-
cpe:2.3:a:sindresorhus:file-type:18.2.0
-
cpe:2.3:a:sindresorhus:file-type:18.2.1
-
cpe:2.3:a:sindresorhus:file-type:18.3.0
-
cpe:2.3:a:sindresorhus:file-type:18.4.0
-
cpe:2.3:a:sindresorhus:file-type:18.5.0
-
cpe:2.3:a:sindresorhus:file-type:18.6.0
-
cpe:2.3:a:sindresorhus:file-type:18.7.0
-
cpe:2.3:a:sindresorhus:file-type:19.0.0
-
cpe:2.3:a:sindresorhus:file-type:19.1.0
-
cpe:2.3:a:sindresorhus:file-type:19.1.1
-
cpe:2.3:a:sindresorhus:file-type:19.2.0
-
cpe:2.3:a:sindresorhus:file-type:19.3.0
-
cpe:2.3:a:sindresorhus:file-type:19.4.0
-
cpe:2.3:a:sindresorhus:file-type:19.4.1
-
cpe:2.3:a:sindresorhus:file-type:19.5.0
-
cpe:2.3:a:sindresorhus:file-type:19.6.0
-
cpe:2.3:a:sindresorhus:file-type:20.0.0
-
cpe:2.3:a:sindresorhus:file-type:20.0.1
-
cpe:2.3:a:sindresorhus:file-type:20.1.0
-
cpe:2.3:a:sindresorhus:file-type:20.2.0
-
cpe:2.3:a:sindresorhus:file-type:20.3.0
-
cpe:2.3:a:sindresorhus:file-type:20.4.0
-
cpe:2.3:a:sindresorhus:file-type:20.4.1
-
cpe:2.3:a:sindresorhus:file-type:20.5.0
-
cpe:2.3:a:sindresorhus:file-type:21.0.0
-
cpe:2.3:a:sindresorhus:file-type:21.1.0
-
cpe:2.3:a:sindresorhus:file-type:21.1.1
-
cpe:2.3:a:sindresorhus:file-type:21.2.0
-
cpe:2.3:a:sindresorhus:file-type:21.3.0