The vulnerability identified as CVE-2026-31808 exists in the sindresorhus file-type library, a widely used Node.js package for detecting file types from files, streams, or data buffers. Specifically, the flaw resides in the ASF (Advanced Systems Format) parser responsible for identifying WMV/WMA file types. When the parser encounters a crafted input where an ASF sub-header's size field is zero, it triggers an infinite loop condition. This happens because the payload value used to advance the read position becomes negative (-24), causing the tokenizer.ignore(payload) function to move the read cursor backwards instead of forwards. Consequently, the parser repeatedly reads the same sub-header indefinitely, effectively stalling the Node.js event loop. This denial of service (DoS) condition can be triggered remotely by sending a maliciously crafted 55-byte payload to any application that uses the vulnerable versions (>=13.0.0 and <21.3.1) of file-type to process untrusted input. The vulnerability requires no privileges or user interaction, making it relatively easy to exploit. The issue was addressed and fixed in version 21.3.1 by correcting the handling of the ASF sub-header size field to prevent the infinite loop. The CVSS v3.1 base score is 5.3, reflecting a medium severity level due to the impact being limited to availability without affecting confidentiality or integrity. No known exploits have been reported in the wild as of the publication date.

This vulnerability can cause denial of service by stalling the Node.js event loop, effectively freezing applications that rely on the vulnerable file-type library for file type detection. This can degrade service availability, disrupt processing pipelines, and potentially cause cascading failures in systems that depend on timely file processing. Organizations that accept or process untrusted file inputs—such as web services, file upload handlers, media processing platforms, or security scanners—are at risk. The attack requires minimal payload size and no authentication, increasing the likelihood of exploitation in exposed environments. While the impact is limited to availability and does not compromise data confidentiality or integrity, the resulting service disruption can affect user experience, operational continuity, and potentially lead to resource exhaustion or denial of service conditions in larger scale attacks.

To mitigate this vulnerability, organizations should upgrade the sindresorhus file-type library to version 21.3.1 or later, where the infinite loop issue is fixed. For environments where immediate upgrade is not feasible, implementing input validation to detect and reject malformed ASF files with zero-sized sub-headers can help reduce risk. Additionally, applying timeouts or watchdog mechanisms on file processing routines can prevent indefinite blocking of the Node.js event loop. Employing sandboxing or resource limiting for file parsing operations can also contain the impact of potential infinite loops. Monitoring application logs for repeated parsing failures or unusually long processing times may help detect exploitation attempts. Finally, restricting exposure of file-type detection services to trusted sources or behind authentication can reduce attack surface.