Executive Summary

CVE-2025-71329 is a denial of service vulnerability in the image-size library (versions up to 2.0.2) that allows remote attackers to cause an application to hang indefinitely.

The vulnerability occurs when a specially crafted image buffer contains a zero-valued size field in a recognized box-type, such as in JXL, HEIF, or ICNS image parsers.

This zero size causes the parser's offset to never advance, triggering an infinite loop that permanently blocks the Node.js event loop and causes the application to hang.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service (DoS) condition by making the affected application hang indefinitely.

An attacker can exploit this by sending a maliciously crafted image file with a zero-sized box or entry, which triggers an infinite loop in the image parser.

As a result, the Node.js event loop is permanently blocked, preventing the application from processing further requests or tasks, which can lead to service outages and resource exhaustion.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for applications using the image-size library versions 1.1.0 to 1.2.1 and 2.0.0 to 2.0.2, which are vulnerable to denial of service via infinite loops triggered by specially crafted image files.

Detection can involve observing if the Node.js event loop is permanently blocked or if the application hangs indefinitely when processing image files, especially those in JXL, HEIF, JP2, or ICNS formats.

To detect exploitation attempts or the presence of crafted images, you can use commands to monitor running Node.js processes for hangs or high CPU usage, and inspect logs for errors related to image parsing.

• Use process monitoring commands like `top` or `htop` to identify Node.js processes consuming excessive CPU or stuck.
• Use `lsof -p <pid>` to check open files by the Node.js process to identify if it is processing suspicious image files.
• Use network monitoring tools like `tcpdump` or `wireshark` to capture image file transfers and analyze them for suspicious zero-sized box fields.
• If you have access to the source or logs, add debugging or logging around image-size library calls to detect when an image with a zero-sized box is processed.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the image-size library to a version later than 2.0.2 where the vulnerability has been fixed.

If upgrading is not immediately possible, consider implementing input validation to reject images with zero-sized boxes or entries before they are processed by the vulnerable library.

Additionally, monitor your Node.js applications for hangs or high CPU usage that could indicate exploitation attempts.

Limit exposure by restricting the sources from which image files are accepted, and apply network-level controls to block suspicious traffic.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of CVE-2025-71329 on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0