Home

Description

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to trigger an infinite loop in the ICNS parser, as the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely.

PUBLISHED Reserved 2026-06-10 | Published 2026-06-10 | Updated 2026-06-10 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

Loop with Unreachable Exit Condition ('Infinite Loop')

Product status

Default status
unaffected

1.1.0 (semver)
affected

2.0.0 (semver)
affected

Credits

Preston Price (@prestonprice57) finder

References

joshua.hu/image-size-infinite-loop-dos-vulnerabilities technical-description exploit

web.archive.org/...github.com/image-size/image-size/pull/439 patch

www.vulncheck.com/...ervice-via-malformed-icns-image-parsing third-party-advisory

cve.org (CVE-2025-71330)

nvd.nist.gov (CVE-2025-71330)

Download JSON