Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
yauzl Library for Node.js Can Crash from Malformed Zip File
CVE-2026-31988
GHSA-gmq8-994r-jv83
Summary
The yauzl library for Node.js can crash if it processes a specially crafted zip file. This happens when the library tries to get the last modification date of a file in the zip. To fix this, update to version 3.2.1.
What to do
- Update yauzl to version 3.2.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | yauzl | <= 3.2.1 | 3.2.1 |
Original title
yauzl contains an off-by-one error
Original description
yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allowing readUInt16LE() to read past the buffer boundary. A remote attacker can cause a denial of service (process crash via ERR_OUT_OF_RANGE exception) by sending a crafted zip file with a malformed NTFS extra field. This affects any Node.js application that processes zip file uploads and calls entry.getLastModDate() on parsed entries. Fixed in version 3.2.1.
nvd CVSS3.1
5.3
nvd CVSS4.0
6.9
Vulnerability type
CWE-193
- https://github.com/thejoshwolfe/yauzl/commit/c4695215b05c6adffda613b9051a2a85429...
- https://www.codeant.ai/security-research/yauzl-denial-of-service-zip-file-crash
- https://www.npmjs.com/package/yauzl
- https://www.vulncheck.com/advisories/yauzl-denial-of-service-via-off-by-one-erro...
- https://nvd.nist.gov/vuln/detail/CVE-2026-31988
- https://github.com/advisories/GHSA-gmq8-994r-jv83
Published: 12 Mar 2026 · Updated: 14 Mar 2026 · First seen: 11 Mar 2026