CVE-2026-31988
Received Received - Intake
Off-by-One Error in yauzl NTFS Parser Causes DoS

Publication date: 2026-03-11

Last updated on: 2026-03-12

Assigner: VulnCheck

Description
yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allowing readUInt16LE() to read past the buffer boundary. A remote attacker can cause a denial of service (process crash via ERR_OUT_OF_RANGE exception) by sending a crafted zip file with a malformed NTFS extra field. This affects any Node.js application that processes zip file uploads and calls entry.getLastModDate() on parsed entries. Fixed in version 3.2.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-12
Generated
2026-05-07
AI Q&A
2026-03-12
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31988
EUVD
EUVD-2026-11482
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yauzl yauzl to 3.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in yauzl version 3.2.0, a Node.js library used for unzipping files. It is an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. Specifically, the while loop condition incorrectly allows reading beyond the buffer boundary, which can cause the function readUInt16LE() to read past the intended data limit.

This flaw can be exploited by a remote attacker who sends a specially crafted zip file with a malformed NTFS extra field, causing the application to crash due to an ERR_OUT_OF_RANGE exception.

The issue affects any Node.js application that processes zip file uploads and calls entry.getLastModDate() on parsed entries. The vulnerability was fixed in version 3.2.1 of yauzl.


How can this vulnerability impact me? :

This vulnerability can lead to a denial of service (DoS) condition in applications using the affected yauzl library. By sending a crafted zip file with a malformed NTFS extra field, an attacker can cause the application to crash unexpectedly.

Such crashes can disrupt normal service availability, potentially affecting user experience and system reliability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade yauzl to version 3.2.1 or later, where the off-by-one error in the NTFS extended timestamp extra field parser has been fixed.

Additionally, avoid processing untrusted or malformed zip files that could trigger the denial of service condition by causing the process to crash.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart