Description
music-metadata’s ASF parser (parseExtensionObject() in lib/asf/AsfParser.ts:112-158) enters an infinite loop when a sub-object inside the ASF Header Extension Object has objectSize = 0.
Recommendation
Update the music-metadata package to the latest compatible version. Followings are version details:
- Affected version(s): <= 11.12.1
- Patched version(s): 11.12.3
References
Related Issues
- Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input - CVE-2026-33891
- fast-xml-parser has RangeError DoS Numeric Entities Bug - CVE-2026-25128
- liquidjs has a path traversal fallback vulnerability - CVE-2026-30952
- jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - CVE-2026-24001
- Tags:
- npm
- music-metadata
Anything's wrong? Let us know Last updated on March 19, 2026