CVE-2026-8814
5.3 MEDIUMVersions of the package exifreader before 4.39.0 are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) due t...
Published: 2026-05-19 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 5.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- CWE
- CWE-409
Description
Versions of the package exifreader before 4.39.0 are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) due to decompressing PNG zTXt metadata without enforcing a built-in maximum decompressed output size. When asynchronous parsing is enabled, a crafted PNG file containing a highly compressed zTXt chunk can cause ExifReader to materialize a disproportionately large Comment value in memory.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8814
- [Other]https://gist.github.com/yuki-matsuhashi/cad1a45d936062438b4ab24613c34c55
- [Other]https://github.com/mattiasw/ExifReader/commit/5f116128adc19f674902f8bf582bfe7dd0a36375
- [Other]https://security.snyk.io/vuln/SNYK-JS-EXIFREADER-16689340
- [Other]https://security.snyk.io/vuln/SNYK-JS-EXIFREADER-16689340
Related CVEs
Same CWE
- CVE-2026-49755 — Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers ...
- CVE-2026-10725 — Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb (7.5 HIGH)
- CVE-2026-48594 — Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decom...
- CVE-2026-44697 — Klever-Go is the Go implementation of the Klever blockchain protocol (8.6 HIGH)
- CVE-2026-2575 — A flaw was found in Keycloak (5.3 MEDIUM)