Description
music-metadata’s ASF parser (parseExtensionObject() in lib/asf/AsfParser.ts:112-158) enters an infinite loop when a sub-object inside the ASF Header Extension Object has objectSize = 0.
Recommendation
Update the music-metadata package to the latest compatible version. Followings are version details:
- Affected version(s): <= 11.12.1
- Patched version(s): 11.12.3
References
Related Issues
- Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input - CVE-2026-33891
- Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS - CVE-2026-41150
- @sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sve - CVE-2026-22803
- jsrsasign is vulnerable to DoS through Infinite Loop when processing zero or negative inputs - CVE-2026-4598
You might also like:
- Tags:
- npm
- music-metadata
Anything's wrong? Let us know Last updated on March 19, 2026