Vulnerability Details CVE-2026-32630
file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This vulnerability is fixed in 21.3.2.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 22.5%
CVSS Severity
CVSS v3 Score 5.3
References
Products affected by CVE-2026-32630
-
cpe:2.3:a:sindresorhus:file-type:20.0.0
-
cpe:2.3:a:sindresorhus:file-type:20.0.1
-
cpe:2.3:a:sindresorhus:file-type:20.1.0
-
cpe:2.3:a:sindresorhus:file-type:20.2.0
-
cpe:2.3:a:sindresorhus:file-type:20.3.0
-
cpe:2.3:a:sindresorhus:file-type:20.4.0
-
cpe:2.3:a:sindresorhus:file-type:20.4.1
-
cpe:2.3:a:sindresorhus:file-type:20.5.0
-
cpe:2.3:a:sindresorhus:file-type:21.0.0
-
cpe:2.3:a:sindresorhus:file-type:21.1.0
-
cpe:2.3:a:sindresorhus:file-type:21.1.1
-
cpe:2.3:a:sindresorhus:file-type:21.2.0
-
cpe:2.3:a:sindresorhus:file-type:21.3.0
-
cpe:2.3:a:sindresorhus:file-type:21.3.1