CVE-2022-36313

file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack.

Se ha detectado un problema en el paquete file-type versiones anteriores a 16.5.4 y 17.x anteriores a 17.1.3 para Node.js. Un archivo MKV malformado podía causar que el detector de tipo de archivo quedara atrapado en un bucle infinito. Esto haría que la aplicación dejara de responder y podría usarse para causar un ataque DoS

A flaw was found in the file-type npm package. A malformed MKV file could lead the file type detector to a denial of Service. This issue allows an attacker to input a malicious file and make the server unresponsive.

Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. Data Grid 8.4.1 replaces Data Grid 8.4.0 and includes bug fixes and enhancements. Issues addressed include denial of service and deserialization vulnerabilities.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-20 CVE Reserved
2022-07-21 CVE Published
2024-08-03 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CAPEC

References (6)

URL	Tag	Source
https://github.com/sindresorhus/file-type/releases/tag/v16.5.4	Release Notes
https://github.com/sindresorhus/file-type/releases/tag/v17.1.3	Release Notes
https://security.netapp.com/advisory/ntap-20220909-0005	Third Party Advisory
https://www.npmjs.com/package/file-type	Product

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2022-36313	2023-02-09
https://bugzilla.redhat.com/show_bug.cgi?id=2159682	2023-02-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
File-type Project Search vendor "File-type Project"		File-type Search vendor "File-type Project" for product "File-type"				< 16.5.4 Search vendor "File-type Project" for product "File-type" and version " < 16.5.4"		node.js		Affected
File-type Project Search vendor "File-type Project"		File-type Search vendor "File-type Project" for product "File-type"				>= 17.0.0 < 17.1.3 Search vendor "File-type Project" for product "File-type" and version " >= 17.0.0 < 17.1.3"		node.js		Affected