The vulnerability CVE-2026-31988 resides in the yauzl library, a popular Node.js module used for unzipping files. In version 3.2.0, the getLastModDate() function parses the NTFS extended timestamp extra field of zip entries. The parsing loop uses an incorrect boundary condition: it checks if the cursor is less than data.length + 4 instead of ensuring cursor + 4 is less than or equal to data.length. This off-by-one error allows the readUInt16LE() function to read two bytes beyond the buffer boundary, leading to an ERR_OUT_OF_RANGE exception. When a Node.js application processes a maliciously crafted zip file containing a malformed NTFS extra field and calls entry.getLastModDate(), it can trigger a denial of service by crashing the process. This vulnerability does not require any privileges or user interaction and can be exploited remotely by submitting a specially crafted zip file. The issue was addressed in yauzl version 3.2.1 by correcting the loop boundary condition to prevent out-of-bounds reads. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on availability (denial of service). No known exploits have been reported in the wild, but the vulnerability poses a risk to any Node.js applications that handle zip file uploads and utilize this function.

The primary impact of this vulnerability is a denial of service condition caused by a process crash in Node.js applications using yauzl 3.2.0 to process zip files. This can disrupt services that rely on zip file uploads, such as web applications, APIs, or automated processing pipelines, potentially leading to downtime or degraded service availability. Since the vulnerability can be triggered remotely without authentication or user interaction, attackers can exploit it to cause repeated crashes, resulting in service interruptions or resource exhaustion. Although the vulnerability does not lead to code execution or data leakage, the denial of service impact can affect business operations, customer trust, and system reliability. Organizations that rely heavily on Node.js applications for file processing, especially those accepting user-uploaded zip files, are at risk. The absence of known exploits reduces immediate threat but does not eliminate the risk of future exploitation. The medium severity rating reflects the moderate impact and ease of exploitation.

Organizations should immediately upgrade the yauzl library to version 3.2.1 or later, where the off-by-one error has been fixed. For applications that cannot upgrade immediately, implement input validation to reject zip files containing suspicious or malformed NTFS extra fields before processing. Employ sandboxing or process isolation techniques to limit the impact of potential crashes caused by malformed files. Incorporate robust error handling around calls to entry.getLastModDate() to gracefully handle exceptions without crashing the entire application. Monitor application logs for ERR_OUT_OF_RANGE exceptions or unusual crashes related to zip file processing. Additionally, consider rate limiting or filtering zip file uploads from untrusted sources to reduce exposure. Regularly review and update dependencies to ensure vulnerabilities are patched promptly. Finally, conduct security testing on file upload features to detect similar parsing issues proactively.