CVE-2026-32630
file-type affected by ZIP Decompression Bomb DoS via [Content_Types].xml entry
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This vulnerability is fixed in 21.3.2.
| CWE | CWE-409 |
| Vendor | sindresorhus |
| Product | file-type |
| Published | Mar 13, 2026 |
| Last Updated | Mar 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for sindresorhus file-type
Be the first to know when new medium vulnerabilities affecting sindresorhus file-type are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
Affected Versions
sindresorhus / file-type
>= 20.0.0, < 21.3.2