The vulnerability exists in ExifReader versions older than 4.39.0. An attacker can embed a crafted image that contains an ICC mluc tag specifying an attacker‑controlled record count together with a zero record size. During parsing, the library processes the same record repeatedly and appends entries to an array without proper bounds validation, which causes unbounded memory growth. The result is an application exhausting available memory and potentially crashing. The weakness is a lack of bounds checking when handling an image metadata tag, leading to resource exhaustion. Depending on how the application integrates ExifReader, the denial of service could affect the entire process or only a single thread that performs image parsing.

This issue affects the ExifReader JavaScript library. Any application that imports or uses this package and processes images supplied by untrusted sources will be impacted. Versions before 4.39.0 are vulnerable; upgrading to 4.39.0 or later mitigates the problem.

The CVSS score of 8.7 indicates high severity. No EPSS data is available, so the exploit probability is unknown at this time. The vulnerability is not listed in CISA’s KEV catalog. Attackers can trigger memory exhaustion by supplying a crafted image to any code path that imports ExifReader, so the attack vector is likely via a maliciously constructed image file. Successful exploitation would lead to denial of service, potentially impacting availability of services relying on ExifReader.