Description
image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or HEIF image parsers by providing a crafted image containing a box with a size of zero, causing the offset to never advance and permanently hanging the application.
Published: 2026-06-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the image-size library up to and including version 2.0.2. Attackers can permanently block the Node.js event loop by supplying a specially crafted image buffer that contains a zero-size box in the JXL or HEIF parser. The parser enters an infinite loop, never advancing the offset, thereby permanently hanging the application. This denial of service can be triggered remotely by uploading or feeding a malicious image and can affect any Node.js application that uses image-size for validation or parsing. The weakness is recorded as CWE-835, indicating an infinite loop.

Affected Systems

The issue affects the image-size JavaScript library versions up to and including 2.0.2, meaning any releases before or equal to 2.0.2 are vulnerable. Applications that incorporate these releases—regardless of the Node.js runtime or environment—are at risk if they accept user-supplied images in the affected formats. No vendor-specific product names beyond the library itself were provided.

Risk and Exploitability

The CVSS score of 8.7 places this vulnerability in the high severity range, and the EPSS score of <1% indicates a low exploitation probability, although the nature of the flaw allows any attacker to craft a malicious image to trigger an infinite loop. The vulnerability is not listed in the CISA KEV catalog, but its impact is severe enough that systems can experience prolonged downtime if an attacker forces an application to become unresponsive. The likely attack vector is remote, applied through upload or ingestion of a malicious image; an attacker does not require privileged access or additional exploits to trigger the loop.

Generated by OpenCVE AI on June 10, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the image-size library to the latest non‑vulnerable release, such as version 2.0.3 or later.
  • If an upgrade is not immediately possible, implement input validation to reject any image file where the findBox function reports a box size of zero before allowing processing to continue.
  • Audit all code paths that use image-size for image validation and ensure that the library is called only after legitimate format checks have passed.
  • If feasible, add a timeout or watchdog around image processing routines to recover from potential hangs caused by infinite loops.

Generated by OpenCVE AI on June 10, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m5qc-5hw7-8vg7 image-size Denial of Service via Infinite Loop during Image Processing
History

Wed, 24 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 15 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Image-size
Image-size image-size
CPEs cpe:2.3:a:image-size:image-size:*:*:*:*:*:node.js:*:*
Vendors & Products Image-size
Image-size image-size

Wed, 10 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
References

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description image-size 1.1.0 before 1.2.1 and 2.0.0 before 2.0.2 contain a denial of service vulnerability in the findBox function when processing specially crafted images with zero-sized boxes. Remote attackers can cause application hang by supplying malicious JXL, HEIF, or JP2 image files with box size zero, triggering infinite loops during image validation. image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or HEIF image parsers by providing a crafted image containing a box with a size of zero, causing the offset to never advance and permanently hanging the application.
Title image-size < 1.2.1, 2.0.2 - Denial of Service via Infinite Loop in findBox Function image-size 2.0.2 Denial of Service via Infinite Loop in JXL/HEIF Parser
References

Wed, 10 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Image Sizes Project
Image Sizes Project image Sizes
Vendors & Products Image Sizes Project
Image Sizes Project image Sizes

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description image-size 1.1.0 before 1.2.1 and 2.0.0 before 2.0.2 contain a denial of service vulnerability in the findBox function when processing specially crafted images with zero-sized boxes. Remote attackers can cause application hang by supplying malicious JXL, HEIF, or JP2 image files with box size zero, triggering infinite loops during image validation.
Title image-size < 1.2.1, 2.0.2 - Denial of Service via Infinite Loop in findBox Function
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Image-size Image-size
Image Sizes Project Image Sizes
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T03:15:44.077Z

Reserved: 2026-06-08T20:44:31.209Z

Link: CVE-2025-71319

cve-icon Vulnrichment

Updated: 2026-06-30T02:41:26.265Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T21:17:03.153

Modified: 2026-06-15T17:52:04.080

Link: CVE-2025-71319

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-09T19:57:16Z

Links: CVE-2025-71319 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:15:07Z

Weaknesses
  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')