yauzl Denial-of-Service Vulnerability via Off-by-One Error in NTFS Timestamp Parser

A denial-of-service vulnerability has been identified in yauzl (Yet Another Unzip Library) version 3.2.0 for Node.js. The issue arises from an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The vulnerability allows a remote attacker to cause a process crash by sending a crafted zip file with a malformed NTFS extra field. This issue affects any Node.js application that processes zip file uploads and calls entry.getLastModDate() on the parsed entries.

Impact

Exploitation of this vulnerability leads to a process crash, causing an unhandled ERR_OUT_OF_RANGE exception that terminates the Node.js process. This behavior disrupts any application or service processing the zip file, creating a denial-of-service condition.

Reproduction

To reproduce this vulnerability, upload a zip file containing an entry with a malformed NTFS extra field (ID 0x000A) that is precisely 4, 8, or 11 bytes long. When the application processes this zip file and calls entry.getLastModDate() on the affected entry, the parser will read beyond the buffer's end, triggering an ERR_OUT_OF_RANGE exception and crashing the Node.js process.

Remediation

Users are advised to update yauzl to version 3.2.1 or later. If an immediate upgrade is not possible, wrap calls to entry.getLastModDate() in a try/catch block to handle potential exceptions.