An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack.
Detect the file type of a Buffer/Uint8Array/ArrayBuffer
Library home page: https://registry.npmjs.org/file-type/-/file-type-16.5.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/file-type/package.json
Vulnerabilities
Details
CVE-2022-36313
### Vulnerable Library - file-type-16.5.3.tgzDetect the file type of a Buffer/Uint8Array/ArrayBuffer
Library home page: https://registry.npmjs.org/file-type/-/file-type-16.5.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/file-type/package.json
Dependency Hierarchy: - :x: **file-type-16.5.3.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsAn issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack.
Publish Date: 2022-07-21
URL: CVE-2022-36313
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-07-21
Fix Resolution: 16.5.4
:rescue_worker_helmet: Automatic Remediation is available for this issue:rescue_worker_helmet: Automatic Remediation is available for this issue.