{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31988", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-10T19:48:11.109Z", "datePublished": "2026-03-11T22:58:48.863Z", "dateUpdated": "2026-03-12T13:40:55.420Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-11T22:58:48.863Z"}, "datePublic": "2026-02-28T00:00:00.000Z", "title": "yauzl 3.2.0 - Denial of Service via Off-by-One Error in NTFS Timestamp Parser", "descriptions": [{"lang": "en", "value": "yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allowing readUInt16LE() to read past the buffer boundary. A remote attacker can cause a denial of service (process crash via ERR_OUT_OF_RANGE exception) by sending a crafted zip file with a malformed NTFS extra field. This affects any Node.js application that processes zip file uploads and calls entry.getLastModDate() on parsed entries. Fixed in version 3.2.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Off-by-one Error", "cweId": "CWE-193", "type": "CWE"}]}], "affected": [{"vendor": "thejoshwolfe", "product": "yauzl", "versions": [{"version": "3.2.0", "status": "affected", "lessThan": "3.2.1", "versionType": "semver"}, {"status": "unaffected", "version": "3.2.1"}], "defaultStatus": "unaffected", "packageURL": "pkg:npm/yauzl"}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://github.com/thejoshwolfe/yauzl/commit/c4695215b05c6adffda613b9051a2a85429b33fe", "name": "Patch Commit", "tags": ["patch"]}, {"url": "https://www.codeant.ai/security-research/yauzl-denial-of-service-zip-file-crash", "name": "CodeAnt AI Security Research Advisory", "tags": ["third-party-advisory"]}, {"url": "https://www.npmjs.com/package/yauzl", "name": "npm - yauzl", "tags": ["product"]}, {"name": "VulnCheck Advisory: yauzl 3.2.0 - Denial of Service via Off-by-One Error in NTFS Timestamp Parser", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/yauzl-denial-of-service-via-off-by-one-error-in-ntfs-timestamp-parser"}], "credits": [{"lang": "en", "value": "CodeAnt AI Code Reviewer", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"references": [{"url": "https://www.codeant.ai/security-research/yauzl-denial-of-service-zip-file-crash", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T13:40:48.738159Z", "id": "CVE-2026-31988", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T13:40:55.420Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31988", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T13:40:48.738159Z"}}}], "references": [{"url": "https://www.codeant.ai/security-research/yauzl-denial-of-service-zip-file-crash", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T13:40:42.721Z"}}], "cna": {"title": "yauzl 3.2.0 - Denial of Service via Off-by-One Error in NTFS Timestamp Parser", "credits": [{"lang": "en", "type": "finder", "value": "CodeAnt AI Code Reviewer"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "thejoshwolfe", "product": "yauzl", "versions": [{"status": "affected", "version": "3.2.0", "lessThan": "3.2.1", "versionType": "semver"}, {"status": "unaffected", "version": "3.2.1"}], "packageURL": "pkg:npm/yauzl", "defaultStatus": "unaffected"}], "datePublic": "2026-02-28T00:00:00.000Z", "references": [{"url": "https://github.com/thejoshwolfe/yauzl/commit/c4695215b05c6adffda613b9051a2a85429b33fe", "name": "Patch Commit", "tags": ["patch"]}, {"url": "https://www.codeant.ai/security-research/yauzl-denial-of-service-zip-file-crash", "name": "CodeAnt AI Security Research Advisory", "tags": ["third-party-advisory"]}, {"url": "https://www.npmjs.com/package/yauzl", "name": "npm - yauzl", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/yauzl-denial-of-service-via-off-by-one-error-in-ntfs-timestamp-parser", "name": "VulnCheck Advisory: yauzl 3.2.0 - Denial of Service via Off-by-One Error in NTFS Timestamp Parser", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allowing readUInt16LE() to read past the buffer boundary. A remote attacker can cause a denial of service (process crash via ERR_OUT_OF_RANGE exception) by sending a crafted zip file with a malformed NTFS extra field. This affects any Node.js application that processes zip file uploads and calls entry.getLastModDate() on parsed entries. Fixed in version 3.2.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-193", "description": "Off-by-one Error"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-11T22:58:48.863Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31988", "state": "PUBLISHED", "dateUpdated": "2026-03-12T13:40:55.420Z", "dateReserved": "2026-03-10T19:48:11.109Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-11T22:58:48.863Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allowing readUInt16LE() to read past the buffer boundary. A remote attacker can cause a denial of service (process crash via ERR_OUT_OF_RANGE exception) by sending a crafted zip file with a malformed NTFS extra field. This affects any Node.js application that processes zip file uploads and calls entry.getLastModDate() on parsed entries. Fixed in version 3.2.1."}, {"lang": "es", "value": "yauzl (tambi\u00e9n conocida como Yet Another Unzip Library) versi\u00f3n 3.2.0 para Node.js contiene un error de off-by-one en el analizador del campo extra de marca de tiempo extendida NTFS dentro de la funci\u00f3n getLastModDate(). La condici\u00f3n del bucle 'while' comprueba cursor &lt; data.length + 4 en lugar de cursor + 4 &lt;= data.length, permitiendo que readUInt16LE() lea m\u00e1s all\u00e1 del l\u00edmite del b\u00fafer. Un atacante remoto puede causar una denegaci\u00f3n de servicio (ca\u00edda del proceso a trav\u00e9s de una excepci\u00f3n ERR_OUT_OF_RANGE) al enviar un archivo zip manipulado con un campo extra NTFS malformado. Esto afecta a cualquier aplicaci\u00f3n Node.js que procesa cargas de archivos zip y llama a entry.getLastModDate() en las entradas analizadas. Corregido en la versi\u00f3n 3.2.1."}], "id": "CVE-2026-31988", "lastModified": "2026-04-15T14:56:45.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "disclosure@vulncheck.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-11T23:16:00.530", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/thejoshwolfe/yauzl/commit/c4695215b05c6adffda613b9051a2a85429b33fe"}, {"source": "disclosure@vulncheck.com", "url": "https://www.codeant.ai/security-research/yauzl-denial-of-service-zip-file-crash"}, {"source": "disclosure@vulncheck.com", "url": "https://www.npmjs.com/package/yauzl"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/yauzl-denial-of-service-via-off-by-one-error-in-ntfs-timestamp-parser"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://www.codeant.ai/security-research/yauzl-denial-of-service-zip-file-crash"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-193"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.2.0,3.2.1)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "3.2.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "yauzl", "source": "cna", "vendor": "thejoshwolfe"}, "product": "yauzl", "vendor": "thejoshwolfe"}], "analysis": {"en": {"generated_at": "2026-03-17T15:44:12.087039+00:00", "value": {"mitigation_remediation": ["Upgrade yauzl to version 3.2.1 or later."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in thejoshwolfe:yauzl library, version 3.2.0, as used by any Node.js application that processes zip uploads and calls entry.getLastModDate() on parsed entries. The issue was fixed in version 3.2.1; no other vendors or products are listed as affected.", "description_and_impact": "yauzl, the Node.js unzip library, contains an off\u2011by\u2011one error in the NTFS extended timestamp extra field parser used by the getLastModDate() function. The loop condition incorrectly allows the parser to read past the end of the buffer, resulting in an ERR_OUT_OF_RANGE exception that crashes the entire process. A remote attacker can trigger this by delivering a crafted zip file with a malformed NTFS extra field, causing the application to terminate. This is a classic buffer overread leading to a denial\u2011of\u2011service attack and fits CWE\u2011193.", "risk_and_exploitability": "The CVSS base score is 6.9, indicating moderate severity. The EPSS score is below 1\u202f%, suggesting that exploitation is expected to be rare. The vulnerability is not included in the CISA KEV catalog. Attackers can exploit the flaw remotely by supplying a crafted zip file to an application that uses yauzl. There are no additional conditions beyond the presence of the malformed NTFS timestamp field; the exploit path is straightforward and does not require local privileges."}}}}, "created": "2026-03-12T09:55:08.149168+00:00", "updated": "2026-03-20T15:36:41.737671+00:00", "vendors": ["thejoshwolfe", "thejoshwolfe$PRODUCT$yauzl"]}