Skip to main content

image-size CVE-2025-71319

| EUVDEUVD-2025-210087 HIGH
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-06-09 VulnCheck GHSA-m5qc-5hw7-8vg7
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch available
Jun 09, 2026 - 22:03 EUVD
Analysis Updated
Jun 09, 2026 - 21:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 09, 2026 - 21:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 09, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
Jun 09, 2026 - 21:22 NVD
7.5 (HIGH) 8.7 (HIGH)
Source Code Evidence Fetched
Jun 09, 2026 - 20:45 vuln.today
Analysis Generated
Jun 09, 2026 - 20:45 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 npm packages depend on image-size (3 direct, 1 indirect)

Ecosystem-wide dependent count for version 1.1.0.

DescriptionCVE.org

image-size 1.1.0 before 1.2.1 and 2.0.0 before 2.0.2 contain a denial of service vulnerability in the findBox function when processing specially crafted images with zero-sized boxes. Remote attackers can cause application hang by supplying malicious JXL, HEIF, or JP2 image files with box size zero, triggering infinite loops during image validation.

AnalysisAI

Denial of service in the npm image-size library (versions 1.1.0-1.2.0 and 2.0.0-2.0.1) lets remote unauthenticated attackers hang any application that parses untrusted JXL, HEIF, or JP2 images. By supplying a crafted file whose ISO-BMFF-style box declares a size of zero, the findBox routine never advances its offset and enters an infinite loop during validation. No public exploit identified at time of analysis, though the vendor advisory includes payload details that make weaponization straightforward.

Technical ContextAI

image-size is a widely deployed npm package for detecting image dimensions and type from raw bytes, frequently embedded in web upload pipelines, thumbnailers, and image-processing middleware. The flaw lives in lib/types/utils.ts in the readBox/findBox helpers used by the JXL, HEIF, and JP2 type handlers, which iterate through ISO base media file format boxes by reading a 32-bit big-endian size field and adding it to the current offset. When boxSize is 0 the bounds check (input.length - offset < boxSize) is satisfied and offset is never incremented, producing the CWE-835 'Loop with Unreachable Exit Condition' infinite loop. Because the detector falls through to these handlers whenever the first byte does not match a known signature, an attacker only needs the bytes at offsets 4-8 to spell 'JXL ' (or the equivalent HEIF/JP2 markers) to reach the vulnerable path.

RemediationAI

Upgrade image-size to vendor-released patch version 1.2.1 on the 1.x branch or 2.0.2 on the 2.x branch, both of which contain commit 8994131c7c3ee8da1699e04700c95e0e683a0c68 that fixes the findBox loop; consult https://github.com/image-size/image-size/security/advisories/GHSA-m5qc-5hw7-8vg7 for the authoritative advisory. Run npm audit fix or update package-lock.json and any transitive pins (image-size is commonly pulled in by image-processing middleware), and rebuild containers so the patched version is actually loaded. If immediate upgrade is not possible, compensating controls include invoking image-size inside a worker thread or child process with a hard wall-clock timeout (sub-second is sufficient because legitimate detection is microsecond-scale), rejecting uploads whose first 8 bytes match the JXL/HEIF/JP2 ftyp signatures at the edge until patched, or limiting upload size - note the size limit only narrows the attack surface because a malicious file can be as small as 8 bytes.

Vendor StatusVendor

Share

CVE-2025-71319 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy