The vulnerability CVE-2026-31988 exists in the yauzl library version 3.2.0, a popular Node.js module used for unzipping files. The root cause is an off-by-one error in the parsing logic of the NTFS extended timestamp extra field within the getLastModDate() function. Specifically, the while loop condition incorrectly checks if cursor < data.length + 4 instead of ensuring cursor + 4 <= data.length before calling readUInt16LE(). This improper boundary check allows the function to read beyond the allocated buffer, triggering an ERR_OUT_OF_RANGE exception. When a Node.js application processes a maliciously crafted zip file containing a malformed NTFS extra field and invokes entry.getLastModDate(), the process crashes, resulting in a denial of service (DoS). This vulnerability does not require any privileges or user interaction, making it remotely exploitable by simply uploading or processing a malicious zip file. The issue is resolved in yauzl version 3.2.1 by correcting the boundary check to prevent out-of-bounds reads. No known active exploits have been reported, but the vulnerability poses a risk to any Node.js application relying on yauzl 3.2.0 for zip file handling, especially those accepting untrusted zip uploads.

The primary impact of this vulnerability is a denial of service condition caused by a process crash when handling malicious zip files. Organizations using Node.js applications that rely on yauzl 3.2.0 for processing zip uploads may experience service interruptions, potentially affecting availability of critical services. This can disrupt workflows, degrade user experience, and cause operational downtime. While the vulnerability does not allow code execution or data leakage, repeated exploitation could be used as a vector for targeted disruption or to amplify attacks against web services that accept zip files. Systems exposed to untrusted or user-supplied zip files are at greatest risk. The impact is particularly significant for cloud services, SaaS platforms, and web applications that automate zip file processing without strict input validation or sandboxing. The lack of authentication or user interaction requirements increases the attack surface, enabling remote attackers to trigger the DoS with minimal effort.

To mitigate this vulnerability, affected organizations should upgrade the yauzl library to version 3.2.1 or later, where the off-by-one error is fixed. For applications that cannot immediately upgrade, implement input validation to reject zip files containing suspicious or malformed NTFS extra fields before processing. Employ sandboxing or process isolation techniques to limit the impact of potential crashes caused by malformed files. Additionally, monitor application logs for ERR_OUT_OF_RANGE exceptions or unexpected process terminations related to zip file handling. Consider rate limiting or filtering zip file uploads from untrusted sources to reduce exposure. Security teams should also review and update dependency management practices to ensure timely patching of third-party libraries. Finally, educate developers about safe handling of binary file parsing and boundary checks to prevent similar vulnerabilities.