CVE-2022-36313
Denial of Service vulnerability in file-type (npm)
What is CVE-2022-36313 About?
This is a Denial of Service vulnerability in the 'file-type' package for Node.js, affecting versions from 13.0.0 until 16.5.4 and 17.x before 17.1.3. A malformed MKV file can cause the file type detector to enter an infinite loop, making the application unresponsive. Exploiting this is straightforward by supplying a malicious MKV file.
Affected Software
- file-type
- >17.0.0, <17.1.3
- >13.0.0, <16.5.4
Technical Details
The file-type package (versions 13.0.0-16.5.4 and 17.x before 17.1.3) for Node.js is vulnerable to a Denial of Service. The issue arises when the package attempts to detect the file type of a specially crafted, malformed MKV (Matroska Video) file. The file type detection logic, particularly for MKV files, contains a flaw that can be triggered by specific byte sequences within the malformed file. This flaw causes the detector to enter an infinite loop, continuously processing the invalid input without termination. As a result, the Node.js application hosting the package becomes unresponsive, consuming all available CPU resources and leading to a denial of service for any service relying on this file type detection, such as file upload processors on a web server.
What is the Impact of CVE-2022-36313?
Successful exploitation may allow attackers to trigger an infinite loop in the file type detector by supplying a malformed MKV file, leading to a denial of service and making the application unresponsive.
What is the Exploitability of CVE-2022-36313?
Exploiting this vulnerability requires an attacker to provide a specially crafted malformed MKV file to an application that uses the vulnerable file-type package. The complexity is low to moderate, as it requires crafting specific byte sequences to trigger the infinite loop. Authentication may not be required if the application allows unauthenticated file uploads or processing of external files. Privilege requirements are typically none. This could be a remote vulnerability if file uploads are accepted over a network, leading to a DoS on a web server. The primary risk factor is allowing untrusted users to upload or provide files that are then processed by the file-type package without robust input validation or timeout mechanisms.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-36313?
Available Upgrade Options
- file-type
- >13.0.0, <16.5.4 → Upgrade to 16.5.4
- file-type
- >17.0.0, <17.1.3 → Upgrade to 17.1.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20220909-0005/
- https://github.com/sindresorhus/file-type/commit/2c4d1200c99dffb7d515b9b9951ef43c22bf7e47
- https://github.com/sindresorhus/file-type/releases/tag/v16.5.4
- https://github.com/sindresorhus/file-type/releases/tag/v17.1.3
- https://www.npmjs.com/package/file-type
- https://github.com/sindresorhus/file-type/commit/d86835680f4cccbee1a60628783c36700ec9e254
- https://github.com/sindresorhus/file-type/releases/tag/v17.1.3
- https://security.snyk.io/vuln/SNYK-JS-FILETYPE-2958042
- https://github.com/sindresorhus/file-type/releases/tag/v16.5.4
- https://github.com/sindresorhus/file-type
What are Similar Vulnerabilities to CVE-2022-36313?
Similar Vulnerabilities: CVE-2020-7661 , CVE-2021-23366 , CVE-2020-13692 , CVE-2021-23381 , CVE-2020-15250
