Popular npm Package file-type Vulnerable to ZIP Bomb Denial of Service Attack
Versions 20.0.0 through 21.3.1 fail to enforce decompression limits allowing crafted archives to crash servers
The vulnerability affects file-type versions 20.0.0 through 21.3.1 and has been assigned a CVSS score of 5.3. The package is used across the Node.js ecosystem for MIME type detection, meaning any service that accepts user-uploaded files and uses file-type for validation is potentially exposed.
The root cause is a CWE-409 issue: the package fails to consistently apply its own memory allocation limits when decompressing internal ZIP file entries. When processing entries with a known size, the decompression limit is bypassed, allowing a crafted ZIP bomb to expand massively in memory and crash the process.
The fix, shipped in version 21.3.2, enforces a strict 1 MiB limit on all ZIP entry decompression regardless of whether the entry size is known. A proof-of-concept exploit exists but no active exploitation has been reported.
The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalogue.
Analysis
Why This Matters
file-type is a foundational package in the Node.js ecosystem. Any application that validates uploaded file types — which includes most web applications that accept file uploads — could be running a vulnerable version.
What to Watch
Update to file-type 21.3.2 or later. If you cannot upgrade immediately, consider adding your own file size validation before passing archives to file-type for analysis.