cvedb.io
CVE-2025-71330
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-06-10T14:16:30.387 · Last modified 2026-06-17T10:04:04.310

Summary

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to trigger an infinite loop in the ICNS parser, as the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely.

Affected products

image-size — image-size

Does this affect you?

Add your gear to cvedb and we'll alert you only when image-size ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.