Is Node.js affected by CVE-2026-32256?

A denial-of-service vulnerability in the music-metadata library can cause applications to hang indefinitely when processing maliciously crafted audio files. Any organization using this library for file parsing faces risk of service unavailability if users upload or process untrusted ASF/WMA files.

CVE-2026-32256

HIGH

2026-03-17 https://github.com/Borewit/music-metadata

GHSA-v6c2-xwv6-8xf7

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 17, 2026 - 20:30 vuln.today

CVE Published

Mar 17, 2026 - 20:04 nvd

HIGH 7.5

Description

# Summary music-metadata's ASF parser (`parseExtensionObject()` in `lib/asf/AsfParser.ts:112-158`) enters an infinite loop when a sub-object inside the ASF Header Extension Object has `objectSize = 0`. ## Root Cause When objectSize is 0: 1. `remaining = 0 - 24 = -24` 2. `tokenizer.ignore(-24)` moves the read position backward by 24 bytes 3. `extensionSize -= 0` (loop counter never decreases) 4. `while (extensionSize > 0)` never exits 5. The same 24-byte header is re-read infinitely This is the same pattern as CVE-2026-31808 (GHSA-5v7r-6r5c-r473) in file-type - strtok3's `AbstractTokenizer.ignore()` accepts negative values without validation. ## Affected Methods - `parseFile()` - HANGS (FileTokenizer inherits vulnerable ignore()) - `parseBuffer()` - HANGS (BufferTokenizer inherits vulnerable ignore()) - `parseStream()` - NOT affected (ReadStreamTokenizer has own ignore() that throws RangeError) ## Impact A 100-byte crafted .asf file permanently hangs any application using parseFile() or parseBuffer(). music-metadata has 2.2M weekly npm downloads. ## Suggested Fix Validate `objectSize >= minimumHeaderSize` before calculating the payload. Or fix strtok3's `AbstractTokenizer.ignore()` to reject negative values.

Analysis

CVE-2026-32256 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Remediation

Within 24 hours: Identify all applications and services using music-metadata library and document their version numbers and deployment scope. Within 7 days: Implement input validation and file type restrictions to block untrusted ASF files; implement processing timeouts on all metadata parsing operations. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

CVE-2026-32256 vulnerability details – vuln.today

Back

CVE-2026-32256

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-32256

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code