CVE-2026-31988
Received Received - Intake
Off-by-One Error in yauzl NTFS Parser Causes DoS

Publication date: 2026-03-11

Last updated on: 2026-03-12

Assigner: VulnCheck

Description
yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allowing readUInt16LE() to read past the buffer boundary. A remote attacker can cause a denial of service (process crash via ERR_OUT_OF_RANGE exception) by sending a crafted zip file with a malformed NTFS extra field. This affects any Node.js application that processes zip file uploads and calls entry.getLastModDate() on parsed entries. Fixed in version 3.2.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31988
EUVD
EUVD-2026-11482
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yauzl yauzl to 3.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in yauzl version 3.2.0, a Node.js library used for unzipping files. It is an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. Specifically, the while loop condition incorrectly allows reading beyond the buffer boundary, which can cause the function readUInt16LE() to read past the intended data limit.

This flaw can be exploited by a remote attacker who sends a specially crafted zip file with a malformed NTFS extra field, causing the application to crash due to an ERR_OUT_OF_RANGE exception.

The issue affects any Node.js application that processes zip file uploads and calls entry.getLastModDate() on parsed entries. The vulnerability was fixed in version 3.2.1 of yauzl.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition in applications using the affected yauzl library. By sending a crafted zip file with a malformed NTFS extra field, an attacker can cause the application to crash unexpectedly.

Such crashes can disrupt normal service availability, potentially affecting user experience and system reliability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade yauzl to version 3.2.1 or later, where the off-by-one error in the NTFS extended timestamp extra field parser has been fixed.

Additionally, avoid processing untrusted or malformed zip files that could trigger the denial of service condition by causing the process to crash.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31988. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart