Description
Versions of the package exifreader before 4.39.0 are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) due to decompressing PNG zTXt metadata without enforcing a built-in maximum decompressed output size. When asynchronous parsing is enabled, a crafted PNG file containing a highly compressed zTXt chunk can cause ExifReader to materialize a disproportionately large Comment value in memory.
Published: 2026-05-19
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Excessive decompression of PNG zTXt metadata in exifreader allows an attacker to trigger an unbounded allocation of memory. A crafted PNG file containing a highly compressed zTXt chunk can cause the library to materialize a Comment value that is orders of magnitude larger than expected, exhausting host memory and potentially leading to a process crash or unresponsiveness. The flaw is classified as CWE‑409 and primarily impacts application availability.

Affected Systems

All releases of the exifreader NPM package older than version 4.39.0 are affected. No other vendor or product names are listed in the CNA data.

Risk and Exploitability

The CVSS score of 6.9 denotes a high severity availability impact. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is straightforward: an attacker submits a malicious PNG file to any application that uses exifreader with asynchronous parsing enabled. No authentication or privilege escalation is required; any user able to provide the image can trigger the denial‑of‑service.

Generated by OpenCVE AI on May 19, 2026 at 07:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the exifreader library to version 4.39.0 or newer, which limits the decompressed output size.
  • If an upgrade is not immediately feasible, disable asynchronous parsing for untrusted images or process image data in a sandboxed environment to contain potential memory amplification.
  • Implement input validation to reject PNG files containing highly compressed zTXt chunks or enforce a strict maximum size limit before invoking the exifreader library.

Generated by OpenCVE AI on May 19, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattiasw
Mattiasw exifreader
Vendors & Products Mattiasw
Mattiasw exifreader

Tue, 19 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description Versions of the package exifreader before 4.39.0 are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) due to decompressing PNG zTXt metadata without enforcing a built-in maximum decompressed output size. When asynchronous parsing is enabled, a crafted PNG file containing a highly compressed zTXt chunk can cause ExifReader to materialize a disproportionately large Comment value in memory.
Weaknesses CWE-409
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Mattiasw Exifreader
cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2026-05-19T05:00:09.223Z

Reserved: 2026-05-18T08:43:29.632Z

Link: CVE-2026-8814

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T07:16:30.357

Modified: 2026-05-19T07:16:30.357

Link: CVE-2026-8814

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T08:18:28Z

Weaknesses