CVE-2025-71330
7.5 HIGHimage-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event l...
Published: 2026-06-10 · Last updated: 2026-06-10
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CWE
- CWE-835
Description
image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to trigger an infinite loop in the ICNS parser, as the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2025-71330
- [Other]https://joshua.hu/image-size-infinite-loop-dos-vulnerabilities
- [Other]https://web.archive.org/web/20260224152152/https://github.com/image-size/image-size/pull/439
- [Other]https://www.vulncheck.com/advisories/image-size-denial-of-service-via-malformed-icns-image-parsing
Related CVEs
Same CWE
- CVE-2026-48733 — ImageMagick is free and open-source software used for editing and manipulating digital images (4.7 MEDIUM)
- CVE-2026-46521 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
- CVE-2026-46522 — ImageMagick is free and open-source software used for editing and manipulating digital images (7.5 HIGH)
- CVE-2026-49495 — Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie() that lacks cycle detection ... (5.5 MEDIUM)
- CVE-2025-71329 — image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event l... (7.5 HIGH)