image-size 2.0.2 Denial of Service via Malformed ICNS Image Parsing

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to trigger an infinite loop in the ICNS parser, as the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely.

AI Analysis

Denial of Service via Malformed ICNS Image Parsing

Basic Information

ID CVE-2025-71330

Source VulnCheck

Published Jun 10, 2026 at 13:02

Affected Product

Vendor image-size

Product image-size

Version 1.1.0

Affected Versions image-size image-size 1.1.0
image-size image-size 2.0.0

CWE Classification

CWE-835

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor image-size

Product image-size

Version 1.1.0, 2.0.0, 2.0.2

References

{
    "lastseen": "",
    "description": "image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to trigger an infinite loop in the ICNS parser, as the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely.",
    "published": "2026-06-10T13:02:04.764Z",
    "modified": "2026-06-10T13:02:04.764Z",
    "type": "cve",
    "title": "image-size 2.0.2 Denial of Service via Malformed ICNS Image Parsing",
    "source": "VulnCheck",
    "references": "https://joshua.hu/image-size-infinite-loop-dos-vulnerabilities\nhttps://web.archive.org/web/20260224152152/https://github.com/image-size/image-size/pull/439\nhttps://www.vulncheck.com/advisories/image-size-denial-of-service-via-malformed-icns-image-parsing",
    "id": "CVE-2025-71330",
    "bulletinFamily": "",
    "cwe": [
        "CWE-835"
    ],
    "cvelist": null,
    "sourceData": "image-size image-size 1.1.0\nimage-size image-size 2.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "image-size",
    "version": "1.1.0",
    "vendor": "image-size",
    "ai_description": "Denial of Service via Malformed ICNS Image Parsing",
    "ai_severity": "High",
    "ai_vendor": "image-size",
    "ai_product": "image-size",
    "ai_version": "1.1.0, 2.0.0, 2.0.2",
    "ai_score": 8.7
}

image-size 2.0.2 Denial of Service via Malformed ICNS Image Parsing_CVE-2025-71330