Listen to this Post
The vulnerability resides in the ASF parser of music-metadata, specifically within the `parseExtensionObject()` function in `lib/asf/AsfParser.ts` (lines 112-158). When a sub-object inside the ASF Header Extension Object contains an `objectSize` field set to 0, the parser calculates the remaining bytes to skip as remaining = objectSize - 24, resulting in -24. The `tokenizer.ignore(-24)` function, inherited from the vulnerable `strtok3` library (same root cause as CVE-2026-31808), accepts this negative value without validation, causing the read position to move backward by 24 bytes. The loop counter `extensionSize` subtracts `0` each iteration, so `extensionSize > 0` never becomes false, creating an infinite loop. Both `parseFile()` and `parseBuffer()` methods are affected as they use the vulnerable tokenizer implementation, while `parseStream()` remains unaffected due to its own `ignore()` method that throws a RangeError. A malicious actor can craft a 100-byte ASF file that permanently hangs any application using the affected methods, leading to complete denial of service .
Platform: music-metadata
Version: < 11.12.3
Vulnerability: Infinite Loop DoS
Severity: HIGH
date: 2026-03-18
Prediction: Patch already available
What Undercode Say:
Analysis:
The vulnerability is identical in pattern to CVE-2026-31808 in the `file-type` library, as both rely on the same flawed `strtok3` tokenizer implementation. The `AbstractTokenizer.ignore()` method fails to validate negative values, allowing attackers to rewind the read position and trap parsers in infinite loops. music-metadata has approximately 2.2 million weekly npm downloads, making this a high-impact supply chain vulnerability. The fix requires either validating `objectSize >= minimumHeaderSize` before calculating payload or patching `strtok3` to reject negative values outright.
Bash/Code Examples:
Check installed version:
npm list music-metadata
Vulnerable code pattern (simplified):
// In AsfParser.ts
while (extensionSize > 0) {
const header = await tokenizer.readToken(AsfObjectHeader);
const objectSize = header.objectSize;
const remaining = objectSize - 24; // If objectSize = 0, remaining = -24
await tokenizer.ignore(remaining); // Negative value moves position backward
extensionSize -= objectSize; // objectSize = 0, so extensionSize never decreases
}
Fixed code pattern:
if (objectSize < 24) {
throw new Error('Invalid object size');
}
const remaining = objectSize - 24;
if (remaining < 0) {
throw new RangeError('Cannot ignore negative bytes');
}
await tokenizer.ignore(remaining);
extensionSize -= objectSize;
Update to patched version:
npm install [email protected]
Exploit:
An attacker crafts a malicious ASF file (approximately 100 bytes) where the ASF Header Extension Object contains a sub-object with `objectSize` set to 0. When any application calls `parseFile()` or `parseBuffer()` on this file, the parser enters an infinite loop, consuming 100% CPU and hanging the Node.js event loop indefinitely. No authentication or user interaction is required beyond delivering the file to the parser .
Proof of concept snippet:
const mm = require('music-metadata');
const fs = require('fs');
// Attacker crafts malicious ASF buffer with objectSize = 0
const maliciousBuffer = createMaliciousAsfWithZeroSize(); // Hypothetical function
// This call will hang forever
mm.parseBuffer(maliciousBuffer, 'audio/asf')
.then(metadata => console.log(metadata))
.catch(err => console.error(err));
// Process never reaches here
Protection from this CVE:
Upgrade to music-metadata version 11.12.3 or later, which contains the fix . For applications that cannot upgrade immediately, avoid using `parseFile()` or `parseBuffer()` with untrusted ASF input; instead, use `parseStream()` which is unaffected due to its safer `ignore()` implementation. As a defense-in-depth measure, validate all file inputs before processing and implement timeout wrappers around metadata parsing operations to prevent hangs from affecting the application.
Impact:
Denial of service affecting any Node.js application using music-metadata to parse untrusted ASF files. With 2.2 million weekly downloads, the potential blast radius includes media players, music library managers, streaming services, and file upload handlers. Attackers can permanently stall applications with minimal payload size (55-100 bytes), requiring no authentication or special privileges .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

