Improper Handling of Highly Compressed Data (Data Amplification)

Summary

file-type detects the file type of a file, stream, or data. In versions 20.0.0 through 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using "fileTypeFromBuffer()", "fileTypeFromBlob()", or "fileTypeFromFile()". The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This vulnerability is fixed in 21.3.2.