The vulnerability CVE-2026-32630 affects the sindresorhus file-type library, a popular JavaScript/TypeScript utility used to detect file types from buffers, blobs, or files. Versions from 20.0.0 up to but not including 21.3.2 improperly handle highly compressed ZIP files during type detection. Specifically, when processing ZIP-based formats such as OOXML, the library decompresses the input data without enforcing an inflate output size limit for known-size inputs. While stream-based detection enforces this limit to prevent excessive memory usage, the lack of such a limit for buffer-based inputs allows an attacker to craft a small ZIP file that decompresses into a significantly larger payload. This leads to excessive memory growth and potential denial of service (DoS) conditions due to resource exhaustion. The vulnerability is categorized under CWE-409 (Improper Handling of Highly Compressed Data/Data Amplification). The CVSS v3.1 base score is 5.3 (medium severity), reflecting network attack vector, no privileges or user interaction required, and impact limited to availability (memory exhaustion). No known exploits have been reported in the wild. The issue was addressed in version 21.3.2 of the file-type library.

This vulnerability primarily impacts the availability of systems using vulnerable versions of the file-type library. An attacker can cause excessive memory consumption by submitting crafted ZIP files, potentially leading to application crashes or degraded performance. This can result in denial of service, affecting services that rely on file-type for file validation or processing, such as web servers, file upload handlers, or malware scanners. Since the vulnerability does not affect confidentiality or integrity, the risk is limited to service disruption. However, given the widespread use of the file-type library in Node.js applications globally, the impact could be significant in environments processing untrusted file inputs. The lack of required authentication or user interaction increases the risk of remote exploitation. Organizations with automated file processing pipelines or public-facing APIs that accept file uploads are particularly at risk.

To mitigate this vulnerability, organizations should upgrade the sindresorhus file-type library to version 21.3.2 or later, where the issue is fixed. If immediate upgrade is not feasible, implement input validation to reject suspiciously small ZIP files that decompress to large sizes or limit the size of files accepted for processing. Employ resource monitoring and limits on memory usage for processes handling file-type operations to prevent system-wide impact. Consider sandboxing or isolating file processing components to contain potential denial of service effects. Additionally, review application logic to avoid relying solely on file-type for security decisions without complementary checks. Monitoring for abnormal memory usage patterns during file uploads can help detect exploitation attempts. Finally, keep dependencies up to date and subscribe to security advisories for timely awareness of such vulnerabilities.