CVE-2026-31808
Received Received - Intake
Denial of Service in file-type ASF Parser via Infinite Loop

Publication date: 2026-03-10

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever. Any application that uses file-type to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload. Fixed in version 21.3.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31808
EUVD
EUVD-2026-10894
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sindresorhus file-type From 13.0.0 (inc) to 21.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the file-type library prior to version 21.3.1, specifically in the ASF (WMV/WMA) file type detection parser. When the parser processes a crafted input where an ASF sub-header has a size field set to zero, it causes an infinite loop. This happens because the payload value becomes negative (-24), which makes the tokenizer move the read position backwards repeatedly, causing the same sub-header to be read over and over again.

Any application using file-type to detect the type of untrusted or attacker-controlled input is affected by this issue.

Impact Analysis

An attacker can exploit this vulnerability by sending a crafted 55-byte payload that causes the Node.js event loop to stall indefinitely. This results in a denial of service (DoS) condition, where the affected application becomes unresponsive or unable to process further requests.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade the file-type package to version 21.3.1 or later, where the denial of service issue in the ASF file type detection parser has been fixed.

Avoid processing untrusted or attacker-controlled ASF (WMV/WMA) files with vulnerable versions of file-type to prevent stalling the Node.js event loop.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31808. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart