Medium severity5.3NVD Advisory· Published May 19, 2026· Updated May 19, 2026
CVE-2026-8814
CVE-2026-8814
Description
Versions of the package exifreader before 4.39.0 are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) due to decompressing PNG zTXt metadata without enforcing a built-in maximum decompressed output size. When asynchronous parsing is enabled, a crafted PNG file containing a highly compressed zTXt chunk can cause ExifReader to materialize a disproportionately large Comment value in memory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
exifreadernpm | >= 4.20.0, < 4.39.0 | 4.39.0 |
Affected products
1Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-rr89-w3h9-m66jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-8814ghsaADVISORY
- gist.github.com/yuki-matsuhashi/cad1a45d936062438b4ab24613c34c55nvdWEB
- github.com/mattiasw/ExifReader/commit/5f116128adc19f674902f8bf582bfe7dd0a36375nvdWEB
- github.com/mattiasw/ExifReader/security/advisories/GHSA-rr89-w3h9-m66jghsaWEB
- security.snyk.io/vuln/SNYK-JS-EXIFREADER-16689340nvdWEB
News mentions
0No linked articles in our index yet.