CVE-2026-32256
Infinite Loop Vulnerability in music-metadata ASF Parser
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| borewit | music-metadata | to 11.12.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-32256 is a high-severity vulnerability in the music-metadata npm package's ASF parser, specifically in the parseExtensionObject() function. When a sub-object inside the ASF Header Extension Object has an objectSize value of 0, the parser enters an infinite loop. This happens because the calculation of remaining bytes becomes negative, causing the parser to repeatedly re-read the same header indefinitely without progressing."}, {'type': 'paragraph', 'content': "The root cause is that the strtok3 library's AbstractTokenizer.ignore() method accepts negative values without validation, allowing the read position to move backward and preventing the loop from exiting."}, {'type': 'paragraph', 'content': 'This issue affects the parseFile() and parseBuffer() methods, causing applications using them to hang permanently when processing a crafted ASF file.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in music-metadata version 11.12.3.'}] [1]
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service (DoS) condition by making any application that uses the vulnerable parseFile() or parseBuffer() methods hang indefinitely when processing a specially crafted ASF file.
Since music-metadata is widely used with 2.2 million weekly npm downloads, this issue poses a significant risk of service disruption.
An attacker can exploit this vulnerability remotely without any privileges or user interaction, making it easy to trigger.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your system or application is using a vulnerable version of the music-metadata package prior to version 11.12.3, especially if it processes ASF files using the parseFile() or parseBuffer() methods.
Detection can involve monitoring for applications hanging or entering infinite loops when processing ASF media files, particularly if a crafted ASF file causes the process to become unresponsive.
Since the issue arises when a sub-object inside the ASF Header Extension Object has an objectSize of 0, you can attempt to detect such crafted ASF files by inspecting ASF files for this condition.
Specific commands are not provided in the resources, but general approaches include:
- Check the version of music-metadata in your project dependencies (e.g., using npm list music-metadata).
- Monitor application logs or behavior for hangs or infinite loops during ASF file parsing.
- Use static analysis or code review to verify if parseFile() or parseBuffer() methods are used without the patch.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the music-metadata package to version 11.12.3 or later, where the vulnerability has been fixed.
If upgrading is not immediately possible, consider validating ASF files before processing to ensure that no sub-object inside the ASF Header Extension Object has an objectSize of 0.
Alternatively, modify or patch the tokenizer.ignore() method to reject negative values to prevent the infinite loop condition.
Avoid using the vulnerable parseFile() and parseBuffer() methods on untrusted ASF files until the patch is applied.