CVE-2026-32256: music-metadata has an infinite loop vulnerability in ASF parser
(updated )
music-metadata’s ASF parser (parseExtensionObject() in lib/asf/AsfParser.ts:112-158) enters an infinite loop when a sub-object inside the ASF Header Extension Object has objectSize = 0.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-32256 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →