Skip to content

common-11.1.9.tgz: 2 vulnerabilities (highest severity is: 5.3) #249

Description

@mend-bolt-for-github
Vulnerable Library - common-11.1.9.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (common version) Remediation Possible**
CVE-2026-32630 Medium 5.3 file-type-21.1.0.tgz Transitive N/A*
CVE-2026-31808 Medium 5.3 file-type-21.1.0.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-32630

Vulnerable Library - file-type-21.1.0.tgz

Detect the file type of a file, stream, or data

Library home page: https://registry.npmjs.org/file-type/-/file-type-21.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • common-11.1.9.tgz (Root Library)
    • file-type-21.1.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This vulnerability is fixed in 21.3.2.

Publish Date: 2026-03-13

URL: CVE-2026-32630

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-13

Fix Resolution: https://github.com/sindresorhus/file-type.git - v21.3.2

Step up your Open Source Security Game with Mend here

CVE-2026-31808

Vulnerable Library - file-type-21.1.0.tgz

Detect the file type of a file, stream, or data

Library home page: https://registry.npmjs.org/file-type/-/file-type-21.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • common-11.1.9.tgz (Root Library)
    • file-type-21.1.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever. Any application that uses file-type to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload. Fixed in version 21.3.1.

Publish Date: 2026-03-10

URL: CVE-2026-31808

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-10

Fix Resolution: https://github.com/sindresorhus/file-type.git - v21.3.1

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

Priority

None yet

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions