CVE-2026-32256— music-metadata has an infinite loop vulnerability in ASF parser
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-32256
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
music-metadata has an infinite loop vulnerability in ASF parser
Source: NVD (National Vulnerability Database)
Vulnerability Description
music-metadata is a metadata parser for audio and video media files. Prior to version 11.12.3, music-metadata's ASF parser (`parseExtensionObject()` in `lib/asf/AsfParser.ts:112-158`) enters an infinite loop when a sub-object inside the ASF Header Extension Object has `objectSize = 0`. Version 11.12.3 fixes the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
不可达退出条件的循环(无限循环)
Source: NVD (National Vulnerability Database)
Vulnerability Title
music-metadata 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
music-metadata是Borewit个人开发者的一个音频文件元数据提取库。 music-metadata 11.12.3之前版本存在安全漏洞,该漏洞源于ASF解析器处理objectSize为0的对象不当,可能导致无限循环。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Borewit | music-metadata | < 11.12.3 | - |
II. Public POCs for CVE-2026-32256
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-32256
请登录查看更多情报信息。
- Release v11.12.3 · Borewit/music-metadata · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-32256
IV. Related Vulnerabilities
Same weakness: CWE-835
- CVE-2026-42310
Pillow: PDF Parsing Trailer Infinite Loop (DoS) - CVE-2026-41511
OpenMcdf has an Infinite loop DoS via crafted CFB directory - CVE-2026-5407
Loop with Unreachable Exit Condition ('Infinite Loop') in Wi - CVE-2026-6536
Loop with Unreachable Exit Condition ('Infinite Loop') in Wi - CVE-2026-6534
Loop with Unreachable Exit Condition ('Infinite Loop') in Wi
V. Comments for CVE-2026-32256
No comments yet