CVE-2025-71330
HIGHimage-size 2.0.2 Denial of Service via Malformed ICNS Image Parsing
Title source: cnaDescription
image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to trigger an infinite loop in the ICNS parser, as the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely.
References (3)
Core 3
Core References
Exploit technical-description
exploit
https://joshua.hu/image-size-infinite-loop-dos-vulnerabilities
Patch patch
https://web.archive.org/web/20260224152152/https://github.com/image-size/image-size/pull/439
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/image-size-denial-of-service-via-malformed-icns-image-parsing
Scores
CVSS v3
7.5
EPSS
0.0042
EPSS Percentile
33.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-835
Status
published
Products (2)
image-size/image-size
1.1.0 - 1.2.1 (2 CPE variants)
image-size/image-size
2.0.0 - 2.0.2
Published
Jun 10, 2026
Tracked Since
Jun 10, 2026