CVE-2025-71330

Sažetak

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to trigger an infinite loop in the ICNS parser, as the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely.

Reference

https://joshua.hu/image-size-infinite-loop-dos-vulnerabilities
https://web.archive.org/web/20260224152152/https://github.com/image-size/image-size/pull/439
https://www.vulncheck.com/advisories/image-size-denial-of-service-via-malformed-icns-image-parsing

CVSS

Base:	7.5
Impact:	3.6
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	NONE	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Zadnje važnije ažuriranje

10-06-2026 - 19:43

Objavljeno

10-06-2026 - 14:16