CVE-2026-32630: file-type: ZIP Decompression Bomb DoS via [Content_Types].xml entry
(updated )
A crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile().
In affected versions, the ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. In testing on file-type 21.3.1, a ZIP of about 255 KB caused about 257 MB of RSS growth during fileTypeFromBuffer().
This is an availability issue. Applications that use these APIs on untrusted uploads can be forced to consume large amounts of memory and may become slow or crash.
References
- github.com/advisories/GHSA-j47w-4g3g-c36v
- github.com/sindresorhus/file-type
- github.com/sindresorhus/file-type/commit/399b0f156063f5aeb1c124a7fd61028f3ea7c124
- github.com/sindresorhus/file-type/commit/a155cd71323279de173c54e8c530d300d3854fdd
- github.com/sindresorhus/file-type/releases/tag/v21.3.2
- github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v
- nvd.nist.gov/vuln/detail/CVE-2026-32630
Code Behaviors & Features
Detect and mitigate CVE-2026-32630 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →