CVE-2026-31988

MEDIUM 5.3

yauzl 3.2.0 - Denial of Service via Off-by-One Error in NTFS Timestamp Parser

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allowing readUInt16LE() to read past the buffer boundary. A remote attacker can cause a denial of service (process crash via ERR_OUT_OF_RANGE exception) by sending a crafted zip file with a malformed NTFS extra field. This affects any Node.js application that processes zip file uploads and calls entry.getLastModDate() on parsed entries. Fixed in version 3.2.1.

CWE	CWE-193
Vendor	thejoshwolfe
Product	yauzl
Published	Mar 11, 2026
Last Updated	Mar 12, 2026

Stay Ahead of the Next One

Get instant alerts for thejoshwolfe yauzl

Be the first to know when new medium vulnerabilities affecting thejoshwolfe yauzl are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Affected Versions

thejoshwolfe / yauzl

3.2.0 < 3.2.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/thejoshwolfe/yauzl/commit/c4695215b05c6adffda613b9051a2a85429b33fe codeant.ai: https://www.codeant.ai/security-research/yauzl-denial-of-service-zip-file-crash npmjs.com: https://www.npmjs.com/package/yauzl vulncheck.com: https://www.vulncheck.com/advisories/yauzl-denial-of-service-via-off-by-one-error-in-ntfs-timestamp-parser

Credits

CodeAnt AI Code Reviewer