The vulnerability resides in the findBox function of the image-size library. When processing specially crafted JXL, HEIF, or JP2 images that contain boxes with a declared size of zero, the function enters an infinite loop, causing the host application to hang indefinitely. This denial of service can be triggered remotely by supplying such malicious image files, potentially affecting any service that uses image-size for validation or parsing. The weakness is classified as CWE-835, representing an infinite loop.

The issue affects the image-size JavaScript library versions 1.1.0 through 1.2.0 inclusive and 2.0.0 through 2.0.1 inclusive. Applications that incorporate these older releases—whether in Node.js runtimes, static site generators, or client-side bundles—are vulnerable if they accept user-supplied images of the susceptible formats. No vendor-specific product names were provided beyond the library itself.

The CVSS score of 8.7 places this vulnerability in the high severity range, and the EPSS score is unavailable, leaving the exploitation probability unknown but potentially high because any attacker can craft a simple image file. The vulnerability is not listed in the CISA KEV catalog, but its impact is severe enough that systems can experience prolonged downtime if an attacker forces an application to become unresponsive. The likely attack vector is remote, applied through upload or ingestion of a malicious image; an attacker does not require privileged access or additional exploits to trigger the loop.