CVE-2025-71330
Received Received - Intake
Image DoS in image-size Library via Malicious ICNS Buffer

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VulnCheck

Description
image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to trigger an infinite loop in the ICNS parser, as the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2025-71330
EUVD
EUVD-2025-210105
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-71330 is a denial of service vulnerability in the image-size library versions 1.1.0 to 1.2.1 and 2.0.0 to 2.0.2. It occurs when a remote attacker supplies a specially crafted ICNS image buffer containing valid magic bytes and a zero-valued entry length field. This causes an infinite loop in the ICNS parser because the offset is never incremented, making the while loop condition true indefinitely. As a result, the Node.js event loop is permanently blocked.

Impact Analysis

This vulnerability can cause a denial of service by permanently blocking the Node.js event loop. An attacker can exploit this by sending a malformed ICNS image that triggers an infinite loop in the parser, effectively making the affected application unresponsive and unable to process further events or requests.

Detection Guidance

This vulnerability can be detected by identifying if your system or application is using the image-size library versions 1.1.0 to 1.2.1 or 2.0.0 to 2.0.2, which are affected by the ICNS image parsing issue.

To detect potential exploitation attempts, monitor for Node.js processes that become unresponsive or hang indefinitely, as the vulnerability causes the Node.js event loop to block.

While no specific detection commands are provided, you can use commands to check the installed version of the image-size package, for example:

  • npm list image-size
  • yarn list image-size

Additionally, monitoring logs or network traffic for malformed ICNS image buffers being processed might help identify exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade the image-size library to a version later than 2.0.2 where the vulnerability has been addressed.

If an upgrade is not immediately possible, consider implementing input validation or filtering to block or sanitize ICNS image buffers with suspicious or zero-valued entry length fields before they reach the vulnerable parser.

Also, monitor Node.js processes for hangs or unresponsiveness and restart them as a temporary measure to recover from potential denial of service conditions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71330. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart