Executive Summary

[{'type': 'paragraph', 'content': 'This vulnerability exists in the npm package "file-type" versions 20.0.0 to 21.3.1. It occurs when the package attempts to detect the file type of a crafted ZIP file using the APIs fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile().'}, {'type': 'paragraph', 'content': 'The issue arises because the code does not properly enforce limits on the size of decompressed ZIP entries for known-size inputs (buffers, blobs, files). While stream-based detection enforces a 1 MiB inflate output limit, known-size inputs use a very large limit (Number.MAX_SAFE_INTEGER), effectively disabling the limit.'}, {'type': 'paragraph', 'content': 'As a result, a small compressed ZIP file can decompress into a very large payload, causing excessive memory growth during type detection. This can be triggered by a crafted ZIP file containing a large [Content_Types].xml entry, leading to a denial-of-service condition due to high memory consumption.'}, {'type': 'paragraph', 'content': 'This vulnerability was fixed in version 21.3.2 of the file-type package.'}] [2]

Useful 0 Not Useful 0

Impact Analysis

If you use the affected versions of the file-type package to detect file types from untrusted ZIP files via fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(), an attacker can craft a malicious ZIP file that causes your application to consume excessive memory.

This excessive memory consumption can degrade service performance or cause your application process to crash, especially in memory-constrained environments.

The vulnerability does not affect stream-based detection (fileTypeFromStream()), which correctly enforces inflate size limits.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring applications that use the file-type library versions from 20.0.0 to 21.3.1, specifically when they process ZIP files using the APIs fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). Detection involves identifying excessive memory usage or crashes triggered by crafted ZIP files containing a large [Content_Types].xml entry.

Since the issue arises during decompression of ZIP files, you can detect attempts to exploit it by observing processes consuming unusually high memory when handling ZIP files or by scanning for usage of vulnerable file-type versions.

Suggested commands to help detect this on a system include:

• Check the installed version of the file-type package in your project (Node.js environment): ``` npm list file-type ```
• Monitor memory usage of processes that handle file uploads or file-type detection, for example using: ``` top ``` or ``` ps aux --sort=-rss | head ```
• Use system tracing or logging to detect unusually large decompression or processing of ZIP files.

No specific built-in commands or signatures are provided in the resources, so detection relies on version checking and monitoring for abnormal memory consumption during ZIP file processing.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the file-type package to version 21.3.2 or later, where this vulnerability is fixed.

Avoid processing untrusted ZIP files using the vulnerable APIs fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile() in affected versions.

If upgrading immediately is not possible, consider implementing additional controls such as limiting the size of input files, restricting ZIP file uploads, or sandboxing the file-type processing to prevent excessive memory consumption from impacting critical services.

Monitoring and alerting on abnormal memory usage during file-type detection can also help identify exploitation attempts.

Useful 0 Not Useful 0