CVE-2026-32256: Infinite Loop Denial of Service in music-metadata ASF Parser
Vulnerability ID: CVE-2026-32256
CVSS Score: 7.5
Published: 2026-03-17
The music-metadata NPM package versions prior to 11.12.3 are vulnerable to an infinite loop (CWE-835) in the Advanced Systems Format (ASF) parser. A maliciously crafted ASF file can cause the parser's read pointer to seek backward, creating a permanent hang state that results in a 100% CPU utilization Denial of Service (DoS).
TL;DR
A zero-length objectSize in an ASF file triggers an infinite loop in music-metadata's parseFile and parseBuffer methods, leading to a complete Denial of Service via 100% CPU utilization.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-835
- Attack Vector: Network
- CVSS v3.1: 7.5
- Impact: High (Availability)
- Exploit Status: Proof of Concept
- KEV Status: Not Listed
Affected Systems
- music-metadata NPM package
-
music-metadata: < 11.12.3 (Fixed in:
11.12.3)
Code Analysis
Commit: 894a9e8
Version Bump and Fix for GHSA-v6c2-xwv6-8xf7
Mitigation Strategies
- Upgrade music-metadata to version 11.12.3 or later
- Switch from parseFile() or parseBuffer() to parseStream() method
- Implement WAF rules to drop highly suspicious small (approx. 100 bytes) ASF or WMA media files
Remediation Steps:
- Identify projects utilizing music-metadata by checking package.json and package-lock.json
- Run 'npm install music-metadata@11.12.3' to apply the patched version
- Run the application test suite to verify media parsing functionality
- Deploy the updated application to production environments
References
Read the full report for CVE-2026-32256 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)