{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-25T16:25:45.264","vulnerabilities":[{"cve":{"id":"CVE-2026-32630","sourceIdentifier":"security-advisories@github.com","published":"2026-03-16T14:19:40.593","lastModified":"2026-06-17T10:36:07.973","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This vulnerability is fixed in 21.3.2."},{"lang":"es","value":"file-type detecta el tipo de archivo de un archivo, flujo o datos. Desde 20.0.0 hasta 21.3.1, un archivo ZIP manipulado puede provocar un crecimiento excesivo de la memoria durante la detección de tipo en file-type al usar fileTypeFromBuffer(), fileTypeFromBlob() o fileTypeFromFile(). El límite de salida de descompresión ZIP se aplica para la detección basada en flujo, pero no para entradas de tamaño conocido. Como resultado, un ZIP comprimido pequeño puede hacer que file-type descomprima y procese una carga útil mucho mayor mientras sondea formatos basados en ZIP como OOXML. Esta vulnerabilidad está corregida en 21.3.2."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"sindresorhus","product":"file-type","versions":[{"version":">= 20.0.0, < 21.3.2","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-03-16T16:59:32.922021Z","id":"CVE-2026-32630","options":[{"exploitation":"poc"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-409"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:sindresorhus:file-type:*:*:*:*:*:node.js:*:*","versionStartIncluding":"20.0.0","versionEndExcluding":"21.3.2","matchCriteriaId":"D0F498D6-3940-4A11-8A75-5437FC77A0ED"}]}]}],"references":[{"url":"https://github.com/sindresorhus/file-type/commit/399b0f156063f5aeb1c124a7fd61028f3ea7c124","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Vendor Advisory"]}]}}]}