CVE-2025-71330
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Summary
image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to trigger an infinite loop in the ICNS parser, as the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| image-size | image-size | 1.1.0 <= 1.2.1 | affected |
| image-size | image-size | 2.0.0 <= 2.0.2 | affected |
Weaknesses
- CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://joshua.hu/image-size-infinite-loop-dos-vulnerabilities
- https://web.archive.org/web/20260224152152/https://github.com/image-size/image-size/pull/439
- https://www.vulncheck.com/advisories/image-size-denial-of-service-via-malformed-icns-image-parsing
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.