漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
file-type affected by ZIP Decompression Bomb DoS via [Content_Types].xml entry
Vulnerability Description
file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This vulnerability is fixed in 21.3.2.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Vulnerability Type
对高度压缩数据的处理不恰当(数据放大攻击)
Vulnerability Title
file type 安全漏洞
Vulnerability Description
file type是Sindre Sorhus个人开发者的一个文件类型检测工具。 file type 20.0.0版本至21.3.1版本存在安全漏洞,该漏洞源于特制ZIP文件在使用fileTypeFromBuffer、fileTypeFromBlob或fileTypeFromFile进行类型检测时可能触发内存过度增长,基于流的检测强制执行ZIP解压缩输出限制,但对已知大小的输入未强制执行,可能导致小型压缩ZIP使file-type在处理基于ZIP的格式时解压缩和处理更大的有效载荷。
CVSS Information
N/A
Vulnerability Type
N/A