CVE 8.7 HIGH

image-size < 1.2.1, 2.0.2 - Denial of Service via Infinite Loop in findBox Function_CVE-2025-71319

June 9, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

image-size 1.1.0 before 1.2.1 and 2.0.0 before 2.0.2 contain a denial of service vulnerability in the findBox function when processing specially crafted images with zero-sized boxes. Remote attackers can cause application hang by supplying malicious JXL, HEIF, or JP2 image files with box size zero, triggering infinite loops during image validation.

AI Analysis

Denial of Service via Infinite Loop in findBox Function

Basic Information

ID CVE-2025-71319

Source VulnCheck

Published Jun 9, 2026 at 19:57

Affected Product

Vendor image-size

Product image-size

Version 1.1.0, 2.0.0

Affected Versions image-size image-size 1.1.0
image-size image-size 2.0.0

CWE Classification

CWE-835

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor image-size

Product image-size

Version 1.1.0, 2.0.0

References

{
    "lastseen": "",
    "description": "image-size 1.1.0 before 1.2.1 and 2.0.0 before 2.0.2 contain a denial of service vulnerability in the findBox function when processing specially crafted images with zero-sized boxes. Remote attackers can cause application hang by supplying malicious JXL, HEIF, or JP2 image files with box size zero, triggering infinite loops during image validation.",
    "published": "2026-06-09T19:57:16.125Z",
    "modified": "2026-06-09T19:57:16.125Z",
    "type": "cve",
    "title": "image-size < 1.2.1, 2.0.2 - Denial of Service via Infinite Loop in findBox Function",
    "source": "VulnCheck",
    "references": "https://github.com/image-size/image-size/security/advisories/GHSA-m5qc-5hw7-8vg7\nhttps://www.vulncheck.com/advisories/image-size-denial-of-service-via-infinite-loop-in-findbox-function",
    "id": "CVE-2025-71319",
    "bulletinFamily": "",
    "cwe": [
        "CWE-835"
    ],
    "cvelist": null,
    "sourceData": "image-size image-size 1.1.0\nimage-size image-size 2.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "image-size",
    "version": "1.1.0, 2.0.0",
    "vendor": "image-size",
    "ai_description": "Denial of Service via Infinite Loop in findBox Function",
    "ai_severity": "High",
    "ai_vendor": "image-size",
    "ai_product": "image-size",
    "ai_version": "1.1.0, 2.0.0",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply