image-size
CVE-2025-71329
HIGH
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or HEIF image parsers by providing a crafted image containing a box with a size of zero, causing the offset to never advance and permanently hanging the application.
AnalysisAI
Denial of service in the image-size Node.js library through version 2.0.2 allows remote unauthenticated attackers to permanently hang the Node.js event loop by submitting a crafted JXL or HEIF image with a zero-sized box field. Publicly available exploit code exists and the issue was disclosed by VulnCheck, but it is not listed in CISA KEV. Any service that ingests untrusted images and passes them through image-size is exposed to a single-request availability kill.
Technical ContextAI
The image-size package is a widely deployed Node.js dependency used to detect dimensions of image files without decoding pixel data. Its JXL and HEIF parsers iterate through ISO Base Media File Format (ISOBMFF) style boxes, advancing an offset by each box's declared size. CWE-835 (Loop with Unreachable Exit Condition / Infinite Loop) applies here because the parser fails to validate that the box size is non-zero before using it as the advance amount; a zero value causes the offset to remain stationary and the loop to spin forever. The affected CPE is cpe:2.3:a:image-size:image-size:*:*:*:*:*:*:*:*, covering all versions up to and including 2.0.2. Because Node.js is single-threaded per event loop, an infinite loop in a synchronous parser blocks all other request processing in the worker.
RemediationAI
Upstream fix available (PR/commit); released patched version not independently confirmed - the merge is tracked in https://github.com/image-size/image-size/pull/439, so consumers should upgrade to the first published image-size release that incorporates that pull request and verify the installed version is above 2.0.2 via npm ls image-size in both direct and transitive trees. As a compensating control until the fixed version is pinned, reject JXL (image/jxl) and HEIF/HEIC (image/heif, image/heic) content types at the upload boundary or proxy layer, with the trade-off that legitimate users of those formats will be blocked. Alternatively, run image-size inside a worker thread or child process with a strict wall-clock timeout (e.g., a few hundred milliseconds) so a hung parse only kills the worker rather than the main event loop, accepting modest per-request overhead and added complexity. Validating box size fields are non-zero before invocation is not feasible without re-implementing the parser, so source-level mitigation should be limited to format restriction and timeouts.
More from same product – last 7 days
Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers exec
Denial of service in the image-size npm package (versions up to and including 2.0.2) allows remote unauthenticated attac
Remote code execution in DbGate (npm package dbgate-api) versions 7.1.8 and earlier allows any authenticated user with b
Server-Side Request Forgery in Sync-in Server versions 2.2.1 and earlier allows authenticated low-privileged users to by
Proxy credential disclosure in Axios Node.js HTTP adapter (versions <1.16.0 and <=0.31.1) allows an attacker-controlled
Share
External POC / Exploit Code
Leaving vuln.today