CVE-2026-32630: CVE-2026-32630: Denial of Service via Data Amplification in file-type npm Package
Published: (March 13, 2026 at 11:40 PM EDT)
3 min read
Source: Dev.to
Source: Dev.to
Vulnerability Overview
- Vulnerability ID: CVE‑2026‑32630
- CVSS v3.1 Score: 5.3 (Medium)
- Published: 2026‑03‑13
- Attack Vector: Network
- Impact: Denial of Service (Out‑of‑Memory)
- CWE: CWE‑409 (Improper Handling of Highly Compressed Data)
- CISA KEV Status: Not Listed
The file‑type npm package (versions 20.0.0 through 21.3.1) fails to consistently enforce memory‑allocation limits when decompressing internal ZIP entries. An unauthenticated remote attacker can supply a crafted, highly compressed ZIP archive (a “ZIP bomb”) that triggers massive memory allocation, leading to an out‑of‑memory (OOM) crash of the Node.js process.
Affected Versions
- Vulnerable range:
>= 20.0.0, < 21.3.2 - Fixed in:
21.3.2
Any Node.js application that:
- Uses
file-typeversions 20.0.0 through 21.3.1, or - Analyzes user‑uploaded files for MIME‑type validation with the affected library
is susceptible to this issue.
Technical Details
- The library decompresses ZIP entries without a reliable size check.
- When a ZIP entry’s size is unknown (
hasUnknownFileSizecondition), the decompression limit is bypassed. - Crafted ZIP entries can expand to many gigabytes in memory, exhausting the process heap and causing an OOM crash.
This is a classic ZIP bomb attack, classified under CWE‑409 because the software does not properly handle highly compressed data.
Fixes and Hardening (21.3.2)
| Change | Description | Commit |
|---|---|---|
| Primary fix | Enforces a strict 1 MiB limit on ZIP entry decompression by removing the hasUnknownFileSize condition. | a155cd7 |
| Hardening 1 | Limits the maximum number of ZIP entries to 1024. | 6954817 |
| Hardening 2 | Introduces maximumDetectionReentryCount to prevent stack overflow from deeply nested objects. | d2ecea1 |
| Hardening 3 | Adds loop safeguards to EBML and PNG parsers to prevent CPU exhaustion. | 370ed91 |
Remediation Steps
Identify usage
npm ls file-typeUpdate the dependency
- Edit
package.jsonto require^21.3.2(or later). - Run
npm installto refreshpackage‑lock.json.
- Edit
Test
- Deploy the updated application to a staging environment.
- Perform regression testing, especially around file‑upload handling.
Monitor
- In production, watch for unexpected memory spikes or process restarts.
Additional mitigations
- Run file‑parsing tasks inside isolated Node.js Worker Threads with strict memory limits.
- Enforce maximum upload size at the load balancer or WAF level.
- Audit the full dependency tree for transitive inclusions of vulnerable
file-typeversions.
References
- GitHub Security Advisory: GHSA‑j47w‑4g3g‑c36v
- Full CVE report: CVE‑2026‑32630 (available on the issuing organization’s website)