Home

Description

yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allowing readUInt16LE() to read past the buffer boundary. A remote attacker can cause a denial of service (process crash via ERR_OUT_OF_RANGE exception) by sending a crafted zip file with a malformed NTFS extra field. This affects any Node.js application that processes zip file uploads and calls entry.getLastModDate() on parsed entries. Fixed in version 3.2.1.

PUBLISHED Reserved 2026-03-10 | Published 2026-03-11 | Updated 2026-03-11 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Problem types

Off-by-one Error

Product status

Default status
unaffected

3.2.0 (semver) before 3.2.1
affected

3.2.1
unaffected

Credits

CodeAnt AI Code Reviewer finder

References

github.com/...ommit/c4695215b05c6adffda613b9051a2a85429b33fe (Patch Commit) patch

www.codeant.ai/...rch/yauzl-denial-of-service-zip-file-crash (CodeAnt AI Security Research Advisory) third-party-advisory

www.npmjs.com/package/yauzl (npm - yauzl) product

www.vulncheck.com/...f-by-one-error-in-ntfs-timestamp-parser (VulnCheck Advisory: yauzl 3.2.0 - Denial of Service via Off-by-One Error in NTFS Timestamp Parser) third-party-advisory

cve.org (CVE-2026-31988)

nvd.nist.gov (CVE-2026-31988)

Download JSON