CVE-2022-36313

MEDIUM
2022-07-21 [email protected] GHSA-mhxj-85r3-2x55
5.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
PoC Detected
Mar 17, 2026 - 19:18 vuln.today
Public exploit code
CVE Published
Jul 21, 2022 - 16:15 nvd
MEDIUM 5.5

Tags

Denial Of Service Node.js File Type

Description

An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack.

Analysis

A malformed MKV file can trigger an infinite loop in the file-type Node.js package (versions before 16.5.4 and 17.x before 17.1.3), causing application unresponsiveness and enabling denial-of-service attacks. The vulnerability affects the Sindresorhus file-type library, a widely-used dependency for file type detection, and requires only local access and user interaction to trigger (CVSS 5.5). With an EPSS score of 0.17% (38th percentile), actual exploitation probability remains relatively low despite the moderate severity rating.

Technical Context

The file-type package is a popular Node.js library maintained by Sindresorhus used for detecting file types by examining magic bytes and file signatures. The vulnerability resides in the MKV (Matroska Video) file format parsing logic, where improper loop termination conditions allow a specially-crafted MKV header structure to cause infinite iteration. The root cause is classified under CWE-835 (Infinite Loop), indicating the parser fails to implement proper bounds checking or exit conditions when processing malformed MKV container structures. The affected CPE entries (cpe:2.3:a:sindresorhus:file-type:*:*:*:*:*:node.js:*:*) indicate the vulnerability exists across all versions prior to the patched releases in both the 16.x and 17.x release branches.

Affected Products

The Sindresorhus file-type package for Node.js is affected in versions prior to 16.5.4 and all 17.x versions prior to 17.1.3 (CPE: cpe:2.3:a:sindresorhus:file-type:*:*:*:*:*:node.js:*:*). The package is widely distributed via npm (https://www.npmjs.com/package/file-type) and is a transitive dependency in numerous Node.js applications. NetApp systems using this library in their software stack are also impacted, as referenced in the NetApp security advisory at https://security.netapp.com/advisory/ntap-20220909-0005/. The vulnerability affects any application or service that uses file-type for MKV file validation or detection.

Remediation

Upgrade the file-type package to version 16.5.4 or later for the 16.x branch, or to version 17.1.3 or later for the 17.x branch. Users should update their package.json dependencies and run npm update or yarn upgrade to pull the patched versions from the npm registry (https://www.npmjs.com/package/file-type). For applications that cannot immediately patch, implement input validation by rejecting MKV files from untrusted sources or restricting file-type detection to a separate, resource-limited process with timeouts to prevent application-wide unresponsiveness. Monitor the vendor releases at https://github.com/sindresorhus/file-type/releases/tag/v16.5.4 and https://github.com/sindresorhus/file-type/releases/tag/v17.1.3 for confirmation of patch availability.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +28
POC: +20

Share

CVE-2022-36313 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy