An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack.
CVE-2022-36313 - Medium Severity Vulnerability
Detect the file type of a Buffer/Uint8Array/ArrayBuffer
Library home page: https://registry.npmjs.org/file-type/-/file-type-16.5.3.tgz
Path to dependency file: /web/package.json
Path to vulnerable library: /web/node_modules/file-type/package.json
Dependency Hierarchy: - gatsby-3.13.0.tgz (Root Library) - gatsby-core-utils-2.13.0.tgz - :x: **file-type-16.5.3.tgz** (Vulnerable Library)
Found in HEAD commit: 0f55b93d2b00e61ecb826dc9ce9fd9e07098669b
Found in base branch: master
An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack.
Publish Date: 2022-07-21
URL: CVE-2022-36313
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2022-07-21
Fix Resolution (file-type): 16.5.4
Direct dependency fix Resolution (gatsby): 3.13.1
Step up your Open Source Security Game with Mend here