Skip to main content

ExifReader CVE-2026-8814

| EUVDEUVD-2026-30842 MEDIUM
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
2026-05-19 snyk GHSA-rr89-w3h9-m66j
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
May 19, 2026 - 07:22 NVD
5.3 (MEDIUM) 5.5 (MEDIUM)
Patch available
May 19, 2026 - 07:16 EUVD
Source Code Evidence Fetched
May 19, 2026 - 06:47 vuln.today
Analysis Generated
May 19, 2026 - 06:47 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 10 npm packages depend on exifreader (10 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.20.0.

DescriptionCVE.org

Versions of the package exifreader before 4.39.0 are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) due to decompressing PNG zTXt metadata without enforcing a built-in maximum decompressed output size. When asynchronous parsing is enabled, a crafted PNG file containing a highly compressed zTXt chunk can cause ExifReader to materialize a disproportionately large Comment value in memory.

AnalysisAI

Decompression bomb (data amplification) in ExifReader npm package before 4.39.0 allows remote unauthenticated attackers to exhaust server memory by supplying a crafted PNG file with a highly compressed zTXt metadata chunk. The vulnerable path activates only when the caller enables asynchronous parsing (async: true), at which point ExifReader decompresses the chunk via the Compression Streams API with no upper bound on output size. Publicly available proof-of-concept exploit code exists (E:P); this CVE is not listed in CISA KEV.

Technical ContextAI

ExifReader (cpe:2.3:a:n/a:exifreader:*:*:*:*:*:*:*:*) is a JavaScript library that parses image metadata across formats including JPEG, PNG, HEIC, and WebP. PNG files support zTXt chunks, which store arbitrary textual metadata compressed with zlib DEFLATE. CWE-409 (Improper Handling of Highly Compressed Data) describes the root cause class: libraries that decompress attacker-controlled data without enforcing an output-size limit can be forced to materialize disproportionately large buffers - a decompression bomb. The vulnerable code path in ExifReader uses the browser/Node Compression Streams API (or caller-supplied custom decompression functions) to expand zTXt content asynchronously, and prior to 4.39.0, no maximum decompressed size was enforced. The fix commit (5f116128) introduces a decompress.maxDecompressedSize option defaulting to 128 MiB; blocks exceeding the limit are skipped with a console.warn and remaining tags are returned normally.

RemediationAI

Upgrade ExifReader to version 4.39.0 or later; this is the vendor-released patch confirmed by upstream commit 5f116128adc19f674902f8bf582bfe7dd0a36375 (https://github.com/mattiasw/ExifReader/commit/5f116128adc19f674902f8bf582bfe7dd0a36375) and the corresponding CHANGELOG entry. After upgrading, applications with stricter memory budgets should lower the default 128 MiB cap by passing decompress: { maxDecompressedSize: 16 * 1024 * 1024 } alongside async: true; blocks exceeding the limit are silently skipped with a warning, so this may omit legitimate but unusually large metadata. If an immediate upgrade is not possible, the most direct compensating control is to remove async: true from all ExifReader.load() calls - this eliminates the vulnerable decompression path entirely at the cost of losing async performance benefits. A secondary compensating control is to validate and reject PNG files above a conservative raw file-size threshold before passing them to ExifReader; note this limits input size but does not directly bound decompressed output, so it provides weaker guarantees than the patch. See the Snyk advisory at https://security.snyk.io/vuln/SNYK-JS-EXIFREADER-16689340 for additional guidance.

Share

CVE-2026-8814 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy