CVE-2026-32630 in file-type
Summary
by MITRE • 03/16/2026
file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This vulnerability is fixed in 21.3.2.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability described in CVE-2026-32630 affects the file-type library, a widely used Node.js module for detecting file types through magic number detection and content analysis. This library serves as a critical component in applications that need to identify file formats for security validation, content processing, or file handling operations. The issue manifests specifically in versions 20.0.0 through 21.3.1 where the library's handling of ZIP file detection contains a memory exhaustion flaw that can be exploited through crafted input files. The vulnerability stems from an inconsistency in how the library processes different input types during file type detection operations.
The technical flaw occurs when the file-type library processes ZIP files using functions such as fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). During the detection process, the library employs ZIP decompression to examine file contents for format identification. The implementation correctly enforces output limits when processing streaming data, but fails to apply these same limits when handling fixed-size inputs. This inconsistency allows an attacker to craft a small compressed ZIP file that, when processed, can trigger excessive memory consumption as the library inflates and processes a much larger payload. The vulnerability specifically impacts ZIP-based formats like OOXML files where the library performs deep content analysis. This behavior aligns with CWE-400, which describes improper restriction of operations within a limited error handling context, and represents a classic example of resource exhaustion through decompression attacks.
The operational impact of this vulnerability extends beyond simple denial of service scenarios, as it can lead to significant system instability and resource consumption issues in applications that rely on file-type for content validation. When exploited, the vulnerability can cause applications to consume excessive memory, potentially leading to system crashes, performance degradation, or resource exhaustion that affects other processes. The vulnerability is particularly concerning in web applications, file upload handlers, and content processing systems where attackers might upload maliciously crafted ZIP files to consume system resources. The attack surface is broad since file-type is commonly used across various Node.js applications for file validation, and the vulnerability can be triggered through multiple API entry points. This makes the exploit particularly dangerous as it can be leveraged in applications that don't explicitly handle ZIP files but might process them through generic file validation routines.
The fix implemented in version 21.3.2 addresses the core issue by ensuring consistent enforcement of ZIP inflate output limits across all input processing methods. This remediation aligns with security best practices for resource management and input validation, particularly in libraries that process untrusted data. Organizations should prioritize updating to version 21.3.2 or later to mitigate this vulnerability. Additional mitigations include implementing rate limiting on file processing operations, monitoring system resource consumption during file validation, and configuring appropriate memory limits for applications using the file-type library. Security teams should also consider implementing network-based detection mechanisms to identify potential exploitation attempts through unusual memory consumption patterns. This vulnerability demonstrates the importance of consistent security controls across all code paths and highlights the need for thorough testing of decompression and processing logic in libraries handling untrusted input data, particularly in accordance with ATT&CK technique T1499.001 for resource exhaustion attacks and T1059.007 for command and scripting interpreters.