CVE-2026-32256

music-metadata is a metadata parser for audio and video media files. Prior to version 11.12.3, music-metadata's ASF parser (`parseExtensionObject()` in `lib/asf/AsfParser.ts:112-158`) enters an infinite loop when a sub-object inside the ASF Header Extension Object has `objectSize = 0`. Version 11.12.3 fixes the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/Borewit/music-metadata/releases/tag/v11.12.3	Product Release Notes
https://github.com/Borewit/music-metadata/security/advisories/GHSA-v6c2-xwv6-8xf7	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:borewit:music-metadata:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-18 04:17

Updated : 2026-03-19 18:07

NVD link : CVE-2026-32256

Mitre link : CVE-2026-32256

CVE.ORG link : CVE-2026-32256

JSON object : View

Products Affected

borewit

music-metadata

CWE

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

7.5 /10