CVE-2026-32256: Infinite Loop Denial of Service in music-metadata ASF Parser

The music-metadata NPM package provides audio and video metadata extraction capabilities for Node.js applications. Versions prior to 11.12.3 contain a severe vulnerability within the Advanced Systems Format (ASF) parsing logic. The flaw specifically manifests in the parseExtensionObject() function during the processing of ASF Header Extension Objects.

This vulnerability is classified under CWE-835 as a Loop with Unreachable Exit Condition, commonly referred to as an infinite loop. The defect allows an attacker to supply a crafted media file that manipulates the internal offset calculations of the file tokenizer. When processed, the application enters an unrecoverable state where the parsing loop consumes all available CPU cycles.

Applications processing user-supplied media files via the parseFile() or parseBuffer() methods are exposed to this Denial of Service (DoS) attack. The vulnerability requires no authentication and triggers immediately upon parsing the file header. The parseStream() method remains unaffected due to fundamental differences in how stream-based tokenizers handle relative offset navigation.

The root cause of CVE-2026-32256 lies in the missing validation of parsed size fields before performing subtractive arithmetic. The ASF parser iterates through sub-objects within an ASF Header Extension Object. For each iteration, it reads a 24-byte header containing a Globally Unique Identifier (GUID) and an objectSize variable.

The parser determines the payload size by subtracting the 24-byte header length from the parsed objectSize. The resulting value is passed to the tokenizer.ignore() method to advance the read pointer to the next object. If a malicious file sets the objectSize field to strictly 0, the calculation 0 - 24 produces a negative remaining offset of -24.

The FileTokenizer and BufferTokenizer implementations handle the ignore() operation by simply adding the provided integer to the current position pointer. Because the value is negative, the pointer seeks backward by exactly 24 bytes, returning to the start of the current header. The loop condition evaluates the remaining extension size, but since the pointer continuously rewinds, the exit condition is never satisfied, resulting in an infinite loop.

The vulnerable sequence initiates in the ASF parser module when evaluating extension object payloads. The code subtracts the header constant without bounds checking, directly feeding the result into the tokenizer's position tracking logic.

The fundamental issue exists at the intersection of the parser and the tokenizer interfaces. The abstract tokenizer assumes that ignore() will only receive positive integers to skip forward. The ReadStreamTokenizer natively rejects negative values by throwing a RangeError, inadvertently immunizing parseStream() from this attack vector.

The patched version corrects this logic flaw by explicitly validating the minimum acceptable size of the objectSize field. The patch enforces a check to ensure objectSize is greater than or equal to 24 before any subtraction occurs. If the constraint fails, the parser throws an explicit error, terminating the loop and gracefully aborting the parsing process.

Exploitation of CVE-2026-32256 requires the attacker to construct a specialized ASF or WMA media file. The malicious file needs a minimal structure of approximately 100 bytes to reach the vulnerable code path. The primary requirement is the inclusion of an ASF Header Extension Object matching the specific GUID B7 DC 07 91 AD 0B D0 11 A6 B2 00 A0 C9 03 48 F6.

Within this extension object, the attacker must define a sub-object header where the 64-bit integer representing the objectSize is explicitly set to 0x0000000000000000. No further valid payload or media data is required. The exploit file relies solely on the structural definition of the metadata header to manipulate the parser's state machine.

Upon submission to a target system utilizing the parseFile() or parseBuffer() APIs, the library begins extracting the metadata. Once the tokenizer reaches the malformed sub-object, the backward seek is triggered. The Node.js event loop blocks indefinitely on the synchronous parsing operation, rendering the application entirely unresponsive to concurrent network requests or events.

The successful exploitation of this vulnerability directly results in a severe Denial of Service condition. Node.js operates on a single-threaded event loop architecture, meaning synchronous infinite loops completely halt the execution of all other application tasks. A single malicious request traversing this code path will cause the entire Node.js process to stall at 100% CPU utilization.

The CVSS v3.1 base score of 7.5 reflects the high availability impact combined with the low complexity of the network-based attack vector. The vulnerability requires zero user interaction and operates seamlessly against default configurations. However, the attack does not compromise the confidentiality or integrity of the underlying system, as it provides no mechanism for memory corruption or arbitrary code execution.

In cloud or containerized environments, the sustained CPU spike often triggers health check failures and subsequent container terminations. While orchestrators will restart the failing instance, persistent submission of the malicious file can lead to a continuous crash loop. This cascading failure pattern disrupts overall service availability and increases infrastructure resource expenditure.

The primary remediation strategy for CVE-2026-32256 is upgrading the music-metadata package to version 11.12.3 or higher. The official patch introduces proper validation for the objectSize attribute, strictly prohibiting sizes smaller than the 24-byte header requirement. This structural verification occurs before the tokenizer offset calculation, neutralizing the backward seek vector.

For applications where an immediate dependency upgrade is structurally unfeasible, developers should refactor file processing routines to exclusively use the parseStream() method. The underlying ReadStreamTokenizer natively rejects negative offset parameters, throwing a catchable RangeError. This architectural difference prevents the infinite loop state entirely.

Secondary mitigations involve strict file validation and size constraints at the perimeter edge. However, because the exploit payload requires approximately 100 bytes, conventional file size limits offer zero protection against this specific vector. Security teams should prioritize patching or migrating to the stream-based API to guarantee protection against application exhaustion.