Description
image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or HEIF image parsers by providing a crafted image containing a box with a size of zero, causing the offset to never advance and permanently hanging the application.
Published: 2026-06-10
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

image-size through 2.0.2 has a remote denial of service vulnerability that allows attackers to block the Node.js event loop indefinitely. By sending a crafted image buffer that contains a box with a zero‑valued size field in the JXL or HEIF format, the parser enters an infinite loop that never advances the offset pointer, effectively hanging the application for the remainder of its lifetime. The weakness is an uncontrolled loop (CWE‑835) and can compromise availability for any service that uses image-size for image processing.

Affected Systems

The affected product is the image-size library, version 2.0.2 and earlier. Any Node.js application that imports the library for parsing JXL or HEIF images can be impacted.

Risk and Exploitability

The CVSS score of 8.7 indicates a high impact denial of service scenario. No EPSS value is provided and the vulnerability is not listed in the CISA KEV catalog, but the lack of an exploitation probability score does not negate the risk of immediate exploitation because the attacker only needs to supply a specially crafted image via the application’s normal image processing path. Since the vulnerable code executes in the main event loop of Node.js, the exploit does not require elevated privileges and can be triggered simply by any request that results in the parser being invoked.

Generated by OpenCVE AI on June 10, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade image-size to the corrected release that patches the zero‑size box check, such as the version released in pull request 439.
  • If an upgrade cannot be performed immediately, validate image uploads first to ensure that no box has a zero size before passing the buffer to the parser; reject or sanitize such inputs.
  • Use a process manager or supervisor to automatically restart the Node.js process if the event loop is detected to be blocked or the application becomes unresponsive.

Generated by OpenCVE AI on June 10, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or HEIF image parsers by providing a crafted image containing a box with a size of zero, causing the offset to never advance and permanently hanging the application.
Title image-size 2.0.2 Denial of Service via Infinite Loop in JXL/HEIF Parser
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-10T14:46:07.985Z

Reserved: 2026-06-10T12:57:20.193Z

Link: CVE-2025-71329

cve-icon Vulnrichment

Updated: 2026-06-10T14:46:04.665Z

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:30.160

Modified: 2026-06-10T14:16:30.160

Link: CVE-2025-71329

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T14:45:32Z

Weaknesses