DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32630: CVE-2026-32630: Denial of Service via Data Amplification in file-type npm Package

#security #cve #cybersecurity

CVE-2026-32630: Denial of Service via Data Amplification in file-type npm Package

Vulnerability ID: CVE-2026-32630
CVSS Score: 5.3
Published: 2026-03-13

The file-type npm package, versions 20.0.0 through 21.3.1, contains a CWE-409 (Improper Handling of Highly Compressed Data) vulnerability. The package fails to consistently apply memory allocation limits when decompressing internal ZIP file entries, allowing an unauthenticated remote attacker to trigger a Denial of Service (DoS) via a crafted, highly compressed ZIP archive.

TL;DR

file-type versions 20.0.0 to 21.3.1 are vulnerable to a ZIP bomb attack. Bypassed decompression limits for known-size inputs lead to massive memory allocation when processing crafted ZIP entries, resulting in an Out-of-Memory (OOM) process crash.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-32630
  • CVSS v3.1: 5.3
  • Attack Vector: Network
  • Impact: Denial of Service (OOM)
  • CWE ID: CWE-409
  • CISA KEV Status: Not Listed

Affected Systems

  • Node.js server applications utilizing file-type versions 20.0.0 through 21.3.1
  • Any service analyzing user-uploaded files for MIME type validation using the affected library
  • file-type: >= 20.0.0, < 21.3.2 (Fixed in: 21.3.2)

Code Analysis

Commit: a155cd7

Primary fix: Enforces strict 1 MiB limit on ZIP entry decompression by removing the hasUnknownFileSize condition.

Commit: 6954817

Hardening: Limits maximum ZIP entry count to 1024.

Commit: 370ed91

Hardening: Introduces maximumDetectionReentryCount to prevent stack overflow from nested objects.

Commit: d2ecea1

Hardening: Adds loop safeguards to EBML and PNG parsers to prevent CPU exhaustion.

Mitigation Strategies

  • Upgrade the file-type dependency to version 21.3.2 or later.
  • Execute file parsing and type detection tasks within isolated Node.js Worker Threads with strict memory limits.
  • Implement maximum file size limits on all user-supplied uploads at the load balancer or WAF level.
  • Audit dependency trees for transitive inclusions of vulnerable file-type versions.

Remediation Steps:

  1. Identify projects using file-type via npm ls file-type.
  2. Update the package.json file to require ^21.3.2.
  3. Run npm install to update the package-lock.json file.
  4. Deploy the updated application to staging environments for regression testing.
  5. Ensure production deployments are monitored for unexpected memory spikes or process restarts.

References

Read the full report for CVE-2026-32630 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)