CVE-2022-36313

file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack.

Se ha detectado un problema en el paquete file-type versiones anteriores a 16.5.4 y 17.x anteriores a 17.1.3 para Node.js. Un archivo MKV malformado podía causar que el detector de tipo de archivo quedara atrapado en un bucle infinito. Esto haría que la aplicación dejara de responder y podría usarse para causar un ataque DoS

A flaw was found in the file-type npm package. A malformed MKV file could lead the file type detector to a denial of Service. This issue allows an attacker to input a malicious file and make the server unresponsive.

*Credits: N/A

CVSS Scores

NISTv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-20 CVE Reserved
2022-07-21 CVE Published
2024-02-26 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CAPEC

References (6)

URL	Tag	Source
https://github.com/sindresorhus/file-type/releases/tag/v16.5.4	Release Notes
https://github.com/sindresorhus/file-type/releases/tag/v17.1.3	Release Notes
https://security.netapp.com/advisory/ntap-20220909-0005	Third Party Advisory
https://www.npmjs.com/package/file-type	Product

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2022-36313	2023-02-09
https://bugzilla.redhat.com/show_bug.cgi?id=2159682	2023-02-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
File-type Project Search vendor "File-type Project"		File-type Search vendor "File-type Project" for product "File-type"				< 16.5.4 Search vendor "File-type Project" for product "File-type" and version " < 16.5.4"		node.js		Affected
File-type Project Search vendor "File-type Project"		File-type Search vendor "File-type Project" for product "File-type"				>= 17.0.0 < 17.1.3 Search vendor "File-type Project" for product "File-type" and version " >= 17.0.0 < 17.1.3"		node.js		Affected