Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-mhxj-85r3-2x55: file-type vulnerable to Infinite Loop via malformed MKV file

An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack.

ghsa
#nodejs#js#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2022-36313

file-type vulnerable to Infinite Loop via malformed MKV file

Moderate severity GitHub Reviewed Published Jul 22, 2022 • Updated Jul 22, 2022

We are still processing this advisory. You may have affected repositories that are not yet on this list. Check back soon for more.

Package

npm file-type (npm)

Affected versions

< 16.5.4

>= 17.0.0, < 17.1.3

Patched versions

16.5.4

17.1.3

Description

Related news

CVE-2022-36777: Security Bulletin: QRadar Suite Software includes components with multiple known vulnerabilities

IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.16.0could allow an authenticated user to obtain sensitive version information that could aid in further attacks against the system. IBM X-Force ID: 233665.

Red Hat Security Advisory 2023-0713-01

Red Hat Security Advisory 2023-0713-01 - Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. Data Grid 8.4.1 replaces Data Grid 8.4.0 and includes bug fixes and enhancements. Issues addressed include denial of service and deserialization vulnerabilities.

RHSA-2023:0713: Red Hat Security Advisory: Red Hat Data Grid 8.4.1 security update

An update for Red Hat Data Grid 8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-36313: A flaw was found in the file-type npm package. A malformed MKV file could lead the file type detector to a denial of Service. This issue allows an attacker to input a malicious file and make the server unresponsive. * CVE-2022-37603: A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. ...

CVE-2022-36313: Release v16.5.4 · sindresorhus/file-type

An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack.