[GHSA-gmq8-994r-jv83] yauzl contains an off-by-one error

advisories/github-reviewed/2026/03/GHSA-gmq8-994r-jv83/GHSA-gmq8-994r-jv83.json

@@ -1,18 +1,14 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gmq8-994r-jv83",
-  "modified": "2026-03-13T18:58:11Z",
+  "modified": "2026-03-13T18:58:14Z",
   "published": "2026-03-12T00:31:17Z",
   "aliases": [
     "CVE-2026-31988"
   ],
   "summary": "yauzl contains an off-by-one error",
   "details": "yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allowing readUInt16LE() to read past the buffer boundary. A remote attacker can cause a denial of service (process crash via ERR_OUT_OF_RANGE exception) by sending a crafted zip file with a malformed NTFS extra field. This affects any Node.js application that processes zip file uploads and calls entry.getLastModDate() on parsed entries. Fixed in version 3.2.1.",
   "severity": [
-    {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
-    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
@@ -29,13 +25,16 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "0"
+              "introduced": "3.2.0"
             },
             {
               "fixed": "3.2.1"
             }
           ]
         }
+      ],
+      "versions": [
+        "3.2.0"
       ]
     }
   ],