Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7Blast Radius
ecosystem impact- 4 npm packages depend on image-size (3 direct, 1 indirect)
Ecosystem-wide dependent count for version 1.1.0.
DescriptionCVE.org
image-size 1.1.0 before 1.2.1 and 2.0.0 before 2.0.2 contain a denial of service vulnerability in the findBox function when processing specially crafted images with zero-sized boxes. Remote attackers can cause application hang by supplying malicious JXL, HEIF, or JP2 image files with box size zero, triggering infinite loops during image validation.
AnalysisAI
Denial of service in the npm image-size library (versions 1.1.0-1.2.0 and 2.0.0-2.0.1) lets remote unauthenticated attackers hang any application that parses untrusted JXL, HEIF, or JP2 images. By supplying a crafted file whose ISO-BMFF-style box declares a size of zero, the findBox routine never advances its offset and enters an infinite loop during validation. No public exploit identified at time of analysis, though the vendor advisory includes payload details that make weaponization straightforward.
Technical ContextAI
image-size is a widely deployed npm package for detecting image dimensions and type from raw bytes, frequently embedded in web upload pipelines, thumbnailers, and image-processing middleware. The flaw lives in lib/types/utils.ts in the readBox/findBox helpers used by the JXL, HEIF, and JP2 type handlers, which iterate through ISO base media file format boxes by reading a 32-bit big-endian size field and adding it to the current offset. When boxSize is 0 the bounds check (input.length - offset < boxSize) is satisfied and offset is never incremented, producing the CWE-835 'Loop with Unreachable Exit Condition' infinite loop. Because the detector falls through to these handlers whenever the first byte does not match a known signature, an attacker only needs the bytes at offsets 4-8 to spell 'JXL ' (or the equivalent HEIF/JP2 markers) to reach the vulnerable path.
RemediationAI
Upgrade image-size to vendor-released patch version 1.2.1 on the 1.x branch or 2.0.2 on the 2.x branch, both of which contain commit 8994131c7c3ee8da1699e04700c95e0e683a0c68 that fixes the findBox loop; consult https://github.com/image-size/image-size/security/advisories/GHSA-m5qc-5hw7-8vg7 for the authoritative advisory. Run npm audit fix or update package-lock.json and any transitive pins (image-size is commonly pulled in by image-processing middleware), and rebuild containers so the patched version is actually loaded. If immediate upgrade is not possible, compensating controls include invoking image-size inside a worker thread or child process with a hard wall-clock timeout (sub-second is sufficient because legitimate detection is microsecond-scale), rejecting uploads whose first 8 bytes match the JXL/HEIF/JP2 ftyp signatures at the edge until patched, or limiting upload size - note the size limit only narrows the attack surface because a malicious file can be as small as 8 bytes.
More in Image Size
View allDenial of service in the image-size Node.js library through version 2.0.2 allows remote unauthenticated attackers to per
Denial of service in the image-size Node.js library (versions up to and including 2.0.2) allows remote unauthenticated a
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210087
GHSA-m5qc-5hw7-8vg7