image-size
CVE-2025-71330
HIGH
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to trigger an infinite loop in the ICNS parser, as the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely.
AnalysisAI
Denial of service in the image-size npm package (versions up to and including 2.0.2) allows remote unauthenticated attackers to permanently freeze the Node.js event loop by submitting a crafted ICNS image with a zero-valued entry length field. Any Node.js application that parses untrusted image input with this library is exposed, and publicly available exploit code exists alongside an upstream patch.
Technical ContextAI
image-size is a widely used Node.js library that detects dimensions and type of image files (PNG, JPEG, ICO, ICNS, etc.) without decoding pixel data. The flaw is a CWE-835 (Loop with Unreachable Exit Condition / Infinite Loop) inside the ICNS parser: the parser walks variable-length ICNS entries by incrementing a byte offset by each entry's declared length, but when an entry's length field is zero the offset never advances while the loop continuation predicate remains true, producing an unbounded loop. Because Node.js is single-threaded, this pins one event-loop thread at 100% CPU and starves all other request handling. The affected CPE is cpe:2.3:a:image-size:image-size:*:*:*:*:*:*:*:* with the upper bound being 2.0.2.
RemediationAI
Upgrade image-size to a version that includes the upstream fix from pull request https://github.com/image-size/image-size/pull/439 (archived at https://web.archive.org/web/20260224152152/...); the input data does not specify an exact released fix version, so consult the package's release notes and lockfiles to confirm the patched tag before pinning. Audit your dependency tree with npm ls image-size or yarn why image-size to identify transitive consumers and bump them as well. If immediate upgrade is not possible, compensating controls include rejecting ICNS uploads at the application boundary (filter by magic bytes or MIME), enforcing strict maximum file sizes before parsing, and running image-size calls inside a worker_threads pool with a hard timeout so a stuck parser kills only the worker rather than the main event loop - the trade-off is added latency and complexity in the request path, and magic-byte filtering can be bypassed if the parser is called on raw buffers without prior format checks.
More from same product – last 7 days
Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers exec
Denial of service in the image-size Node.js library through version 2.0.2 allows remote unauthenticated attackers to per
Remote code execution in DbGate (npm package dbgate-api) versions 7.1.8 and earlier allows any authenticated user with b
Server-Side Request Forgery in Sync-in Server versions 2.2.1 and earlier allows authenticated low-privileged users to by
Proxy credential disclosure in Axios Node.js HTTP adapter (versions <1.16.0 and <=0.31.1) allows an attacker-controlled
Share
External POC / Exploit Code
Leaving vuln.today