Nixpkgs security tracker

Login with GitHub

Suggestion detail

Dismissed
Permalink CVE-2026-31808
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 2 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @mweinelt ignored
    4 packages
    • perlPackages.FileType
    • perl5Packages.FileType
    • perl538Packages.FileType
    • perl540Packages.FileType
    2 months, 2 weeks ago
  • @mweinelt dismissed 2 months, 2 weeks ago
file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header

file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever. Any application that uses file-type to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload. Fixed in version 21.3.1.

Affected products

file-type
  • ==>= 13.0.0, < 21.3.1
Ignored packages (4)

pkgs.perlPackages.FileType

Uses magic numbers (typically at the start of a file) to determine the MIME type of that file

  • nixos-unstable 0.22
    • nixpkgs-unstable 0.22
    • nixos-unstable-small 0.22
  • nixos-25.11 0.22
    • nixos-25.11-small 0.22
    • nixpkgs-25.11-darwin 0.22

pkgs.perl5Packages.FileType

Uses magic numbers (typically at the start of a file) to determine the MIME type of that file

  • nixos-unstable 0.22
    • nixpkgs-unstable 0.22
    • nixos-unstable-small 0.22

pkgs.perl538Packages.FileType

Uses magic numbers (typically at the start of a file) to determine the MIME type of that file

  • nixos-25.11 0.22
    • nixos-25.11-small 0.22
    • nixpkgs-25.11-darwin 0.22

pkgs.perl540Packages.FileType

Uses magic numbers (typically at the start of a file) to determine the MIME type of that file

  • nixos-25.11 0.22
    • nixos-25.11-small 0.22
    • nixpkgs-25.11-darwin 0.22 
Not in nixpkgs