Skip to main content

Exifreader

2 CVEs product

Monthly

CVE-2026-8814 npm MEDIUM PATCH GHSA This Month

Decompression bomb (data amplification) in ExifReader npm package before 4.39.0 allows remote unauthenticated attackers to exhaust server memory by supplying a crafted PNG file with a highly compressed zTXt metadata chunk. The vulnerable path activates only when the caller enables asynchronous parsing (`async: true`), at which point ExifReader decompresses the chunk via the Compression Streams API with no upper bound on output size. Publicly available proof-of-concept exploit code exists (E:P); this CVE is not listed in CISA KEV.

Information Disclosure Exifreader
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-8813 npm HIGH PATCH GHSA This Week

Denial-of-service in ExifReader (npm package mattiasw/ExifReader) before 4.39.0 allows remote attackers to exhaust memory by submitting a crafted image whose ICC profile contains a malformed mluc tag. A specially crafted record count combined with a zero record size causes the parser to loop on the same record while continuously appending entries to an array, driving memory growth until the host process crashes. CVSS 4.0 base score is 7.7 with proof-of-concept exploit maturity (E:P), and publicly available exploit code exists via the referenced gist; no active in-the-wild exploitation is indicated.

Denial Of Service Exifreader
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Decompression bomb (data amplification) in ExifReader npm package before 4.39.0 allows remote unauthenticated attackers to exhaust server memory by supplying a crafted PNG file with a highly compressed zTXt metadata chunk. The vulnerable path activates only when the caller enables asynchronous parsing (`async: true`), at which point ExifReader decompresses the chunk via the Compression Streams API with no upper bound on output size. Publicly available proof-of-concept exploit code exists (E:P); this CVE is not listed in CISA KEV.

Information Disclosure Exifreader
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Denial-of-service in ExifReader (npm package mattiasw/ExifReader) before 4.39.0 allows remote attackers to exhaust memory by submitting a crafted image whose ICC profile contains a malformed mluc tag. A specially crafted record count combined with a zero record size causes the parser to loop on the same record while continuously appending entries to an array, driving memory growth until the host process crashes. CVSS 4.0 base score is 7.7 with proof-of-concept exploit maturity (E:P), and publicly available exploit code exists via the referenced gist; no active in-the-wild exploitation is indicated.

Denial Of Service Exifreader
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy