CVE-2026-32256

描述

# Summary music-metadata's ASF parser (`parseExtensionObject()` in `lib/asf/AsfParser.ts:112-158`) enters an infinite loop when a sub-object inside the ASF Header Extension Object has `objectSize = 0`. ## Root Cause When objectSize is 0: 1. `remaining = 0 - 24 = -24` 2. `tokenizer.ignore(-24)` moves the read position backward by 24 bytes 3. `extensionSize -= 0` (loop counter never decreases) 4. `while (extensionSize > 0)` never exits 5. The same 24-byte header is re-read infinitely This is the same pattern as CVE-2026-31808 (GHSA-5v7r-6r5c-r473) in file-type — strtok3's `AbstractTokenizer.ignore()` accepts negative values without validation. ## Affected Methods - `parseFile()` — HANGS (FileTokenizer inherits vulnerable ignore()) - `parseBuffer()` — HANGS (BufferTokenizer inherits vulnerable ignore()) - `parseStream()` — NOT affected (ReadStreamTokenizer has own ignore() that throws RangeError) ## Impact A 100-byte crafted .asf file permanently hangs any application using parseFile() or parseBuffer(). music-metadata has 2.2M weekly npm downloads. ## Suggested Fix Validate `objectSize >= minimumHeaderSize` before calculating the payload. Or fix strtok3's `AbstractTokenizer.ignore()` to reject negative values.

如何修補 CVE-2026-32256

要修補 CVE-2026-32256,請將受影響套件升級到下列已修補版本。

—升級至 11.12.3 或更新版本

CVE-2026-32256 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 11.12.3

CVSS 分數

來源

描述

如何修補 CVE-2026-32256

CVE-2026-32256 正在被利用嗎?

受影響套件(1)

CVSS 分數

參考連結(4)