What is CVE-2026-31988?

CVE-2026-31988 is a medium-severity vulnerability in Thejoshwolfe Yauzl, classified under Off-by-one Error. CVSS score: 5.3/10. Published 2026-03-11.

How severe is CVE-2026-31988?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Vulnerability in Thejoshwolfe Yauzl

CVE-2026-31988

yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 i…

EPSS: 0.002 (35.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.

Affected products

Thejoshwolfe Yauzl — versions 3.2.0, 3.2.1

Weakness classification (CWE)

CWE-193 — Off-by-one Error

References

Patch Commit (patch)
CodeAnt AI Security Research Advisory (third-party-advisory)
npm - yauzl (product)
VulnCheck Advisory: yauzl 3.2.0 - Denial of Service via Off-by-One Error in NTFS Timestamp Parser (third-party-advisory)

Frequently asked questions

What is CVE-2026-31988?: CVE-2026-31988 is a medium-severity vulnerability in Thejoshwolfe Yauzl, classified under Off-by-one Error. CVSS score: 5.3/10. Published 2026-03-11.
How severe is CVE-2026-31988?: Medium severity. CVSS v3 base score is 5.3 out of 10.