CVE-2022-36313¶
WSO2 Products Impacted: No
Customers Actions Required: No
REPORTED VULNERABILITY¶
An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack. 12
REPORTED PRODUCTS¶
- WSO2 API Manager: 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0
WSO2 JUSTIFICATION¶
The file-type package is included in WSO2 API Manager only as a transitive dependency introduced via Stoplight Elements (through the postman-collection dependency used by Stoplight components). We reviewed the product dependency tree and identified the file-type version packaged with API Manager as [email protected].
Although some advisories describe the issue broadly as affecting versions before 16.5.4, the more specific vulnerable ranges identify affected versions as >=13.0.0 <16.5.4 and >=17.0.0 <17.1.3 34. The version packaged with WSO2 API Manager is [email protected], which is outside these affected ranges. This is also consistent with the referenced upstream/Postman discussion 5.
In addition, the WSO2 team reviewed the [email protected] codebase and confirmed that the specific vulnerable code paths related to MKV file parsing and the associated infinite loop are not present in this version. Based on the affected version ranges and the code review, WSO2 products are not impacted and no customer action is required.
CONCLUSION¶
- The
file-typeversion bundled with WSO2 API Manager ([email protected]) is outside the affected version ranges for CVE-2022-36313. - WSO2 products are not impacted; no customer action is required.