VYPR
← All advisories
High severity7.5NVD Advisory· Published Jun 10, 2026

CVE-2025-71330

CVE-2025-71330

Description

image-size 2.0.2 is vulnerable to a denial of service via specially crafted ICNS image buffers, leading to an infinite loop and event loop blockage.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

image-size 2.0.2 is vulnerable to a denial of service via specially crafted ICNS image buffers, leading to an infinite loop and event loop blockage.

Vulnerability

The image-size package, up to and including version 2.0.2, is susceptible to a denial of service vulnerability. This issue arises when parsing specially crafted ICNS image buffers. An attacker can provide an ICNS buffer with valid magic bytes and a zero-valued entry length field. This triggers an infinite loop within the ICNS parser because the offset is not incremented when the entry length is zero, causing the parsing loop to never terminate [3]. Similar infinite loops have been noted in HEIF and JP2 parsing due to zero-sized boxes [1].

Exploitation

An attacker can exploit this vulnerability by supplying a malicious ICNS image buffer to an application that uses the image-size package. The crafted buffer must contain the correct magic bytes for an ICNS file, followed by a zero-valued entry length field. This causes the parser to enter an infinite loop, as the offset used to track progress through the buffer remains static. No specific network position, authentication, or user interaction is mentioned as required, suggesting it can be triggered by simply processing a malicious file [2, 3].

Impact

Successful exploitation of this vulnerability allows a remote attacker to cause a denial of service. The infinite loop in the ICNS parser will permanently block the Node.js event loop. This effectively halts the application's ability to process further requests or perform any operations, leading to a complete service outage [3].

Mitigation

A fix for this vulnerability was merged in pull request #439 and is available in versions of image-size after 2.0.2. Users are strongly advised to update to a patched version as soon as possible. No workarounds are specified if updating is not immediately feasible. The package is not listed on the Known Exploited Vulnerabilities (KEV) catalog at this time [2].

References
  1. Two infinite loop / DoS vulnerabilities in image-size
  2. security: fix potential Denial of Service due to infinite loop by MegaManSec · Pull Request #439 · image-size/image-size
  3. image-size 2.0.2 Denial of Service via Malformed ICNS Image Parsing

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"A specially crafted ICNS image buffer with a zero-valued entry length field causes an infinite loop in the parser."

Attack vector

Remote attackers can supply a crafted ICNS image buffer to the image-size library. This buffer contains valid magic bytes but a zero-valued entry length field. This payload triggers an infinite loop within the ICNS parser because the offset is never incremented, leading to a denial of service by blocking the Node.js event loop [ref_id=1].

Affected code

The vulnerability resides in the ICNS parsing code within the image-size library. Specifically, the loop condition `while (imageOffset < fileLength && imageOffset < inputLength)` in `dist/detector.cjs` does not advance `imageOffset` when the entry length is zero, leading to an infinite loop [ref_id=1].

What the fix does

The patch is not available in the provided bundle. The advisory suggests that a fix would involve ensuring the offset is always incremented, even when an entry length is zero, to prevent infinite loops [ref_id=1]. Without a patch, the vulnerability remains unaddressed.

Preconditions

  • inputThe attacker must provide a specially crafted ICNS image buffer with a zero-valued entry length field.
  • networkThe target application must be accessible over a network to receive the crafted image buffer.

Reproduction

const { imageSize } = require('image-size');

const malicious = new Uint8Array([ 0x69, 0x63, 0x6e, 0x73, // 'icns' magic bytes -> passes the ICNS signature check 0x00, 0x00, 0x00, 0x10, // file length = 16 (big-endian) -> the loop's upper bound 0x69, 0x73, 0x33, 0x32, // entry type 'is32' (a valid icon type) 0x00, 0x00, 0x00, 0x00, // entry length = 0 -> imageOffset never advances -> infinite loop ]);

imageSize(malicious);

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.