{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32630", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-12T15:29:36.559Z", "datePublished": "2026-03-13T20:54:16.960Z", "dateUpdated": "2026-03-16T16:59:36.473Z"}, "containers": {"cna": {"title": "file-type affected by ZIP Decompression Bomb DoS via [Content_Types].xml entry", "problemTypes": [{"descriptions": [{"cweId": "CWE-409", "lang": "en", "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v"}, {"name": "https://github.com/sindresorhus/file-type/commit/399b0f156063f5aeb1c124a7fd61028f3ea7c124", "tags": ["x_refsource_MISC"], "url": "https://github.com/sindresorhus/file-type/commit/399b0f156063f5aeb1c124a7fd61028f3ea7c124"}], "affected": [{"vendor": "sindresorhus", "product": "file-type", "versions": [{"version": ">= 20.0.0, < 21.3.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T20:54:16.960Z"}, "descriptions": [{"lang": "en", "value": "file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This vulnerability is fixed in 21.3.2."}], "source": {"advisory": "GHSA-j47w-4g3g-c36v", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T16:59:32.922021Z", "id": "CVE-2026-32630", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T16:59:36.473Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32630", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T16:59:32.922021Z"}}}], "references": [{"url": "https://github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T16:59:24.226Z"}}], "cna": {"title": "file-type affected by ZIP Decompression Bomb DoS via [Content_Types].xml entry", "source": {"advisory": "GHSA-j47w-4g3g-c36v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "sindresorhus", "product": "file-type", "versions": [{"status": "affected", "version": ">= 20.0.0, < 21.3.2"}]}], "references": [{"url": "https://github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v", "name": "https://github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sindresorhus/file-type/commit/399b0f156063f5aeb1c124a7fd61028f3ea7c124", "name": "https://github.com/sindresorhus/file-type/commit/399b0f156063f5aeb1c124a7fd61028f3ea7c124", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This vulnerability is fixed in 21.3.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-409", "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T20:54:16.960Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32630", "state": "PUBLISHED", "dateUpdated": "2026-03-16T16:59:36.473Z", "dateReserved": "2026-03-12T15:29:36.559Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-13T20:54:16.960Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sindresorhus:file-type:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "D0F498D6-3940-4A11-8A75-5437FC77A0ED", "versionEndExcluding": "21.3.2", "versionStartIncluding": "20.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This vulnerability is fixed in 21.3.2."}], "id": "CVE-2026-32630", "lastModified": "2026-03-17T19:05:56.580", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-16T14:19:40.593", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sindresorhus/file-type/commit/399b0f156063f5aeb1c124a7fd61028f3ea7c124"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-409"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "file-type: file-type: Denial of Service via excessive memory growth from crafted ZIP files", "id": "2447514", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447514"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-409", "details": ["A flaw was found in file-type, a utility for detecting file types. A remote attacker could exploit this vulnerability by providing a specially crafted ZIP file to an application using file-type's buffer or file-based detection functions. This can lead to excessive memory growth, causing a Denial of Service (DoS) due to the application attempting to inflate and process a much larger payload than expected."], "name": "CVE-2026-32630", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Not affected", "package_name": "io.cryostat-cryostat", "product_name": "Cryostat 4"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch6-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch-operator-bundle", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch-proxy-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/logging-curator5-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Not affected", "package_name": "io.apicurio-apicurio-registry", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "org.infinispan-infinispan-console", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Not affected", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Not affected", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Not affected", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Not affected", "package_name": "devspaces/code-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Not affected", "package_name": "devspaces/code-sshd-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite/iop-host-inventory-frontend-rhel9", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}], "public_date": "2026-03-13T20:54:16Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32630\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32630\nhttps://github.com/sindresorhus/file-type/commit/399b0f156063f5aeb1c124a7fd61028f3ea7c124\nhttps://github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[20.0.0,21.3.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "file-type", "source": "cna", "vendor": "sindresorhus"}, "product": "file-type", "vendor": "sindresorhus"}], "analysis": {"en": {"generated_at": "2026-03-17T20:39:32.256688+00:00", "value": {"mitigation_remediation": ["Upgrade the file-type dependency to version 21.3.2 or later."], "summary": {"action": "Apply patch", "impact": "Denial of Service via memory exhaustion"}, "threat_synthesis": {"affected_systems": "The issue affects the npm package 'sindresorhus/file-type' in all versions from 20.0.0 up to and including 21.3.1. Versions 21.3.2 and later incorporate the fix and are not affected.", "description_and_impact": "The vulnerability resides in the file-type library\u2019s ZIP handling, where a crafted ZIP file can trigger excessive memory growth during type detection. This occurs when fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile() process a small compressed ZIP that expands to a much larger payload, exploiting the absence of an inflate output limit for known-size inputs. The resulting memory exhaustion can cause the application to crash or become unresponsive, constituting a denial of service. The weakness is classified as CWE-409.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector, though not explicitly stated, is inferred to require an attacker to supply a crafted ZIP file to the application\u2019s type detection logic, making it a local or supply\u2011of\u2011data exploitation scenario rather than a remote network attack."}}}}, "created": "2026-03-16T09:22:57.420664+00:00", "updated": "2026-03-23T13:39:31.901973+00:00", "vendors": ["sindresorhus", "sindresorhus$PRODUCT$file-type"]}