CWE-835
AllowedLoop with Unreachable Exit Condition ('Infinite Loop')
Abstraction: Base · Status: Incomplete
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
1052 vulnerabilities reference this CWE, most recent first.
GHSA-RV83-GXHH-G4JR
Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-reload.c had an infinite loop that was addressed by validating a length.
{
"affected": [],
"aliases": [
"CVE-2018-7332"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-23T22:29:00Z",
"severity": "HIGH"
},
"details": "In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-reload.c had an infinite loop that was addressed by validating a length.",
"id": "GHSA-rv83-gxhh-g4jr",
"modified": "2022-05-13T01:53:22Z",
"published": "2022-05-13T01:53:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7332"
},
{
"type": "WEB",
"url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14445"
},
{
"type": "WEB",
"url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=1ab0585098c7ce20f3afceb6730427cc2a1e98ea"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00018.html"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2018-06.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103158"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RV95-4WXJ-6FQQ
Vulnerability from github – Published: 2019-02-07 18:18 – Updated: 2024-09-13 14:26In Pylons Colander through 1.6, the URL validator allows an attacker to potentially cause an infinite loop thereby causing a denial of service via an unclosed parenthesis.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "colander"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-18361"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:55:55Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "In Pylons Colander through 1.6, the URL validator allows an attacker to potentially cause an infinite loop thereby causing a denial of service via an unclosed parenthesis.",
"id": "GHSA-rv95-4wxj-6fqq",
"modified": "2024-09-13T14:26:33Z",
"published": "2019-02-07T18:18:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18361"
},
{
"type": "WEB",
"url": "https://github.com/Pylons/colander/issues/290"
},
{
"type": "WEB",
"url": "https://github.com/Pylons/colander/pull/323"
},
{
"type": "WEB",
"url": "https://github.com/Pylons/colander/commit/98805557c10ab5ff3016ed09aa2d48c49b9df40b"
},
{
"type": "PACKAGE",
"url": "https://github.com/Pylons/colander"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-rv95-4wxj-6fqq"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/colander/PYSEC-2019-167.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Pylons Colander Denial of Service vulnerability"
}
GHSA-RVQR-F374-3QQW
Vulnerability from github – Published: 2022-05-02 03:23 – Updated: 2022-05-02 03:23libclamav/untar.c in ClamAV before 0.95 allows remote attackers to cause a denial of service (infinite loop) via a crafted TAR file that causes (1) clamd and (2) clamscan to hang.
{
"affected": [],
"aliases": [
"CVE-2009-1270"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-04-08T16:30:00Z",
"severity": "HIGH"
},
"details": "libclamav/untar.c in ClamAV before 0.95 allows remote attackers to cause a denial of service (infinite loop) via a crafted TAR file that causes (1) clamd and (2) clamscan to hang.",
"id": "GHSA-rvqr-f374-3qqw",
"modified": "2022-05-02T03:23:15Z",
"published": "2022-05-02T03:23:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1270"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49846"
},
{
"type": "WEB",
"url": "https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1462"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2009/Sep/msg00004.html"
},
{
"type": "WEB",
"url": "http://osvdb.org/53461"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/34716"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/36701"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT3865"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2009/dsa-1771"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:097"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2009/04/07/6"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/34357"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/usn-754-1"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2009/0934"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V347-C52R-65XM
Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2025-04-20 03:34The xhci_kick_epctx function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors related to control transfer descriptor sequence.
{
"affected": [],
"aliases": [
"CVE-2017-5973"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-27T15:59:00Z",
"severity": "MODERATE"
},
"details": "The xhci_kick_epctx function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors related to control transfer descriptor sequence.",
"id": "GHSA-v347-c52r-65xm",
"modified": "2025-04-20T03:34:50Z",
"published": "2022-05-13T01:07:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5973"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2392"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2408"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1421626"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01101.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201704-01"
},
{
"type": "WEB",
"url": "http://git.qemu-project.org/?p=qemu.git%3Ba=commit%3Bh=f89b60f6e5fee3923bedf80e82b4e5efc1bb156b"
},
{
"type": "WEB",
"url": "http://git.qemu-project.org/?p=qemu.git;a=commit;h=f89b60f6e5fee3923bedf80e82b4e5efc1bb156b"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2017/02/13/11"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96220"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V3Q7-57MP-77XP
Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-05-24 17:22In Wireshark 3.2.0 to 3.2.4, the GVCP dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-gvcp.c by ensuring that an offset increases in all situations.
{
"affected": [],
"aliases": [
"CVE-2020-15466"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-05T11:15:00Z",
"severity": "MODERATE"
},
"details": "In Wireshark 3.2.0 to 3.2.4, the GVCP dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-gvcp.c by ensuring that an offset increases in all situations.",
"id": "GHSA-v3q7-57mp-77xp",
"modified": "2022-05-24T17:22:23Z",
"published": "2022-05-24T17:22:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15466"
},
{
"type": "WEB",
"url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16029"
},
{
"type": "WEB",
"url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=11f40896b696e4e8c7f8b2ad96028404a83a51a4"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00008.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202007-13"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2020-09.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00026.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00038.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V456-CHPW-6MMW
Vulnerability from github – Published: 2022-08-10 00:00 – Updated: 2022-08-18 19:15It is possible to provide data to be read that leads the reader to loop in cycles endlessly, consuming CPU. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "apache-avro"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.14.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-35724"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-18T19:15:54Z",
"nvd_published_at": "2022-08-09T07:15:00Z",
"severity": "HIGH"
},
"details": "It is possible to provide data to be read that leads the reader to loop in cycles endlessly, consuming CPU. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue.",
"id": "GHSA-v456-chpw-6mmw",
"modified": "2022-08-18T19:15:54Z",
"published": "2022-08-10T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35724"
},
{
"type": "PACKAGE",
"url": "https://github.com/a0x8o/avro"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/771z1nwrpkn1ovmyfb2fm65mchdxgy7p"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Avro Rust SDK vulnerable to reader looping in cycle endlessly, consuming CPU"
}
GHSA-V4XF-P7R4-PFPQ
Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p9, 10.4-STABLE, 10.4-RELEASE-p8 and 10.3-RELEASE-p28, the length field of the ipsec option header does not count the size of the option header itself, causing an infinite loop when the length is zero. This issue can allow a remote attacker who is able to send an arbitrary packet to cause the machine to crash.
{
"affected": [],
"aliases": [
"CVE-2018-6918"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-04T14:29:00Z",
"severity": "HIGH"
},
"details": "In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p9, 10.4-STABLE, 10.4-RELEASE-p8 and 10.3-RELEASE-p28, the length field of the ipsec option header does not count the size of the option header itself, causing an infinite loop when the length is zero. This issue can allow a remote attacker who is able to send an arbitrary packet to cause the machine to crash.",
"id": "GHSA-v4xf-p7r4-pfpq",
"modified": "2022-05-13T01:53:13Z",
"published": "2022-05-13T01:53:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6918"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/May/77"
},
{
"type": "WEB",
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-18:05.ipsec.asc"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT210090"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT210091"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2019/Jun/6"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103666"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040628"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V594-44HM-2J7P
Vulnerability from github – Published: 2025-07-28 21:31 – Updated: 2025-11-05 00:31There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.
This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:
import tarfile
def _block_patched(self, count): if count < 0: # pragma: no cover raise tarfile.InvalidHeaderError("invalid offset") return _block_patched._orig_block(self, count)
_block_patched._orig_block = tarfile.TarInfo._block tarfile.TarInfo._block = _block_patched
{
"affected": [],
"aliases": [
"CVE-2025-8194"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-28T19:15:43Z",
"severity": "HIGH"
},
"details": "There is a defect in the CPython \u201ctarfile\u201d module affecting the \u201cTarFile\u201d extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. \n\nThis vulnerability can be mitigated by including the following patch after importing the \u201ctarfile\u201d module:\n\n\n\nimport tarfile\n\ndef _block_patched(self, count):\n\u00a0 \u00a0 if count \u003c 0: # pragma: no cover\n\u00a0 \u00a0 \u00a0 \u00a0 raise tarfile.InvalidHeaderError(\"invalid offset\")\n\u00a0 \u00a0 return _block_patched._orig_block(self, count)\n\n_block_patched._orig_block = tarfile.TarInfo._block\ntarfile.TarInfo._block = _block_patched",
"id": "GHSA-v594-44hm-2j7p",
"modified": "2025-11-05T00:31:23Z",
"published": "2025-07-28T21:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8194"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/issues/130577"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/pull/137027"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/57f5981d6260ed21266e0c26951b8564cc252bc2"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/7040aa54f14676938970e10c5f74ea93cd56aa38"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/73f03e4808206f71eb6b92c579505a220942ef19"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/b4ec17488eedec36d3c05fec127df71c0071f6cb"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/c9d9f78feb1467e73fd29356c040bde1c104f29f"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/cdae923ffe187d6ef916c0f665a31249619193fe"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/fbc2a0ca9ac8aff6887f8ddf79b87b4510277227"
},
{
"type": "WEB",
"url": "https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1"
},
{
"type": "WEB",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/ZULLF3IZ726XP5EY7XJ7YIN3K5MDYR2D"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/07/28/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/07/28/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V5GM-HMRC-RGFQ
Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2022-05-13 01:44An issue was discovered in QPDF before 7.0.0. There is an infinite loop due to looping xref tables in QPDF.cc.
{
"affected": [],
"aliases": [
"CVE-2017-18186"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-13T19:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in QPDF before 7.0.0. There is an infinite loop due to looping xref tables in QPDF.cc.",
"id": "GHSA-v5gm-hmrc-rgfq",
"modified": "2022-05-13T01:44:36Z",
"published": "2022-05-13T01:44:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18186"
},
{
"type": "WEB",
"url": "https://github.com/qpdf/qpdf/issues/149"
},
{
"type": "WEB",
"url": "https://github.com/qpdf/qpdf/commit/85f05cc57ffa0a863d9d9b23e73acea9410b2937"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3638-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V6C2-XWV6-8XF7
Vulnerability from github – Published: 2026-03-17 20:04 – Updated: 2026-03-19 21:00Summary
music-metadata's ASF parser (parseExtensionObject() in lib/asf/AsfParser.ts:112-158) enters an infinite loop when a sub-object inside the ASF Header Extension Object has objectSize = 0.
Root Cause
When objectSize is 0:
1. remaining = 0 - 24 = -24
2. tokenizer.ignore(-24) moves the read position backward by 24 bytes
3. extensionSize -= 0 (loop counter never decreases)
4. while (extensionSize > 0) never exits
5. The same 24-byte header is re-read infinitely
This is the same pattern as CVE-2026-31808 (GHSA-5v7r-6r5c-r473) in file-type — strtok3's AbstractTokenizer.ignore() accepts negative values without validation.
Affected Methods
parseFile()— HANGS (FileTokenizer inherits vulnerable ignore())parseBuffer()— HANGS (BufferTokenizer inherits vulnerable ignore())parseStream()— NOT affected (ReadStreamTokenizer has own ignore() that throws RangeError)
Impact
A 100-byte crafted .asf file permanently hangs any application using parseFile() or parseBuffer(). music-metadata has 2.2M weekly npm downloads.
Suggested Fix
Validate objectSize >= minimumHeaderSize before calculating the payload. Or fix strtok3's AbstractTokenizer.ignore() to reject negative values.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.12.1"
},
"package": {
"ecosystem": "npm",
"name": "music-metadata"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.12.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32256"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-17T20:04:48Z",
"nvd_published_at": "2026-03-18T04:17:25Z",
"severity": "HIGH"
},
"details": "# Summary\n\nmusic-metadata\u0027s ASF parser (`parseExtensionObject()` in `lib/asf/AsfParser.ts:112-158`) enters an infinite loop when a sub-object inside the ASF Header Extension Object has `objectSize = 0`.\n\n## Root Cause\n\nWhen objectSize is 0:\n1. `remaining = 0 - 24 = -24`\n2. `tokenizer.ignore(-24)` moves the read position backward by 24 bytes\n3. `extensionSize -= 0` (loop counter never decreases)\n4. `while (extensionSize \u003e 0)` never exits\n5. The same 24-byte header is re-read infinitely\n\nThis is the same pattern as CVE-2026-31808 (GHSA-5v7r-6r5c-r473) in file-type \u2014 strtok3\u0027s `AbstractTokenizer.ignore()` accepts negative values without validation.\n\n## Affected Methods\n- `parseFile()` \u2014 HANGS (FileTokenizer inherits vulnerable ignore())\n- `parseBuffer()` \u2014 HANGS (BufferTokenizer inherits vulnerable ignore())\n- `parseStream()` \u2014 NOT affected (ReadStreamTokenizer has own ignore() that throws RangeError)\n\n## Impact\nA 100-byte crafted .asf file permanently hangs any application using parseFile() or parseBuffer(). music-metadata has 2.2M weekly npm downloads.\n\n## Suggested Fix\nValidate `objectSize \u003e= minimumHeaderSize` before calculating the payload. Or fix strtok3\u0027s `AbstractTokenizer.ignore()` to reject negative values.",
"id": "GHSA-v6c2-xwv6-8xf7",
"modified": "2026-03-19T21:00:51Z",
"published": "2026-03-17T20:04:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Borewit/music-metadata/security/advisories/GHSA-v6c2-xwv6-8xf7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32256"
},
{
"type": "PACKAGE",
"url": "https://github.com/Borewit/music-metadata"
},
{
"type": "WEB",
"url": "https://github.com/Borewit/music-metadata/releases/tag/v11.12.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "music-metadata has an infinite loop vulnerability in ASF parser"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.