BUG: file-type vulnerable to Infinite Loop #830

palisadoes · 2022-12-30T03:41:34Z

Describe the bug

An issue was discovered in the file-type package from 13.0.0 until 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack when used on a web server.

Update package-lock.json

To Reproduce
See above

Expected behavior
No vulnerabiltiy present

Actual behavior
See above

Screenshots
See above

Additional details

prathamesh-mutkure · 2023-01-02T18:11:41Z

I think I can work on this issue, can any maintainer assign it to me?

palisadoes added the bug Something isn't working label Dec 30, 2022

github-actions bot added the unapproved Unapproved for Pull Request label Dec 30, 2022

palisadoes assigned prathamesh-mutkure Jan 2, 2023

palisadoes removed the unapproved Unapproved for Pull Request label Jan 2, 2023

prathamesh-mutkure mentioned this issue Jan 3, 2023

Bump image-hash to fix file-type vulnerability #840

Closed

palisadoes mentioned this issue Jan 3, 2023

Bump file-type and image-hash #841

Merged

palisadoes closed this as completed in #841 Jan 3, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

BUG: file-type vulnerable to Infinite Loop #830

BUG: file-type vulnerable to Infinite Loop #830

palisadoes commented Dec 30, 2022

prathamesh-mutkure commented Jan 2, 2023 •

edited

BUG: file-type vulnerable to Infinite Loop #830

BUG: file-type vulnerable to Infinite Loop #830

Comments

palisadoes commented Dec 30, 2022

prathamesh-mutkure commented Jan 2, 2023 • edited

prathamesh-mutkure commented Jan 2, 2023 •

edited