Description
image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to trigger an infinite loop in the ICNS parser, as the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely.
Published: 2026-06-10
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an infinite loop caused by parsing an ICNS image buffer that contains a zero‑valued entry length field. When the image-size library (v2.0.2 and earlier) reads such a buffer, the offset never advances, the while‑loop condition stays true, and the Node.js event loop is permanently blocked. The result is a complete denial of service to any application that imports the affected library and processes the malformed image.

Affected Systems

Any Node.js application that depends on the image-size package version 2.0.2 or earlier is susceptible. The library propagates through any project that imports it, exposing all environments that run the Node.js code to the risk.

Risk and Exploitability

The CVSS v3.1 score of 8.7 reflects the high severity of the denial of service. EPSS data is unavailable and the vulnerability is not currently listed in the CISA KEV catalog. Attackers can remotely exploit the flaw by delivering a specially crafted ICNS buffer—typically via a file upload, API payload, or embedded data—to a running application that uses image-size. The lack of checks on the entry length makes the flaw trivially exploitable for anyone who can influence the input.

Generated by OpenCVE AI on June 10, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the image-size package to v2.0.3 or later.
  • Validate ICNS image data before parsing, rejecting or correcting any entry with a length of zero.
  • Monitor Node.js event loop usage and consider process restarts or clustering to contain any accidental denial of service.

Generated by OpenCVE AI on June 10, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to trigger an infinite loop in the ICNS parser, as the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely.
Title image-size 2.0.2 Denial of Service via Malformed ICNS Image Parsing
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-10T14:05:08.872Z

Reserved: 2026-06-10T12:57:20.193Z

Link: CVE-2025-71330

cve-icon Vulnrichment

Updated: 2026-06-10T14:04:56.180Z

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:30.387

Modified: 2026-06-10T14:16:30.387

Link: CVE-2025-71330

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T14:45:32Z

Weaknesses