Skip to main content

ExifReader CVE-2026-8813

| EUVDEUVD-2026-30838 HIGH
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-05-19 snyk GHSA-h64w-w9pr-82m4
7.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
May 19, 2026 - 07:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 19, 2026 - 07:22 vuln.today
cvss_changed
CVSS changed
May 19, 2026 - 07:22 NVD
7.5 (HIGH) 7.7 (HIGH)
Patch available
May 19, 2026 - 07:16 EUVD
Source Code Evidence Fetched
May 19, 2026 - 06:45 vuln.today
Analysis Generated
May 19, 2026 - 06:45 vuln.today

DescriptionCVE.org

This affects versions of the package exifreader before 4.39.0. A crafted image containing an ICC mluc tag can set an attacker-controlled record count together with a zero record size. During parsing, ExifReader repeatedly processes the same record and appends entries to an array without sufficient bounds validation, causing excessive memory growth. In applications that parse attacker-supplied images, this may lead to denial of service through memory exhaustion.

AnalysisAI

Denial-of-service in ExifReader (npm package mattiasw/ExifReader) before 4.39.0 allows remote attackers to exhaust memory by submitting a crafted image whose ICC profile contains a malformed mluc tag. A specially crafted record count combined with a zero record size causes the parser to loop on the same record while continuously appending entries to an array, driving memory growth until the host process crashes. CVSS 4.0 base score is 7.7 with proof-of-concept exploit maturity (E:P), and publicly available exploit code exists via the referenced gist; no active in-the-wild exploitation is indicated.

Technical ContextAI

ExifReader is a widely used JavaScript/Node.js library for extracting EXIF, IPTC, XMP, ICC and other metadata from images, commonly deployed inside web upload pipelines, image processors, and serverless functions. The bug lives in the ICC profile parser, specifically the handling of the multi-localized Unicode string (mluc) tag defined by the ICC.1:2010 specification, which encodes a 32-bit record count and a 32-bit record size followed by per-locale entries. CWE-1284 (Improper Validation of Specified Quantity in Input) applies: the parser trusts the attacker-supplied record count and does not validate that the record size is non-zero, so the read pointer never advances and the same record is appended repeatedly. The upstream fix is commit c9d88b67e127b2dcc7b46e328df468257fb2dc30 (CHANGELOG: 'Improved robustness when parsing ICC profiles with malformed mluc tags') shipped in 4.39.0. Affected CPE is cpe:2.3:a:n/a:exifreader:*:*:*:*:*:*:*:*.

RemediationAI

Vendor-released patch: upgrade ExifReader to 4.39.0 or later (npm install exifreader@^4.39.0, then rebuild and redeploy any service that bundles it); the upstream fix is commit c9d88b67e127b2dcc7b46e328df468257fb2dc30 and is summarized in the project changelog as improved robustness against malformed ICC mluc tags. Audit transitive dependencies with npm ls exifreader or an SCA tool to catch indirect inclusions, and consult the Snyk advisory at https://security.snyk.io/vuln/SNYK-JS-EXIFREADER-16689335 for additional mitigation guidance. If immediate upgrade is not feasible, compensating controls include disabling ICC profile parsing in ExifReader options (omit USE_ICC where the API allows it, accepting that ICC metadata will no longer be extracted), enforcing a strict maximum image size and per-request memory or CPU cap on the worker that performs parsing (which limits blast radius but does not prevent the crash), running metadata extraction inside an isolated short-lived worker or container with --max-old-space-size so that OOM kills do not bring down the main application, and stripping ICC profiles upstream with a hardened tool such as ImageMagick or libvips before the bytes ever reach ExifReader.

Share

CVE-2026-8813 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy