CVE-2025-71330

Analyzed Analyzed - Analysis Complete

Image DoS in image-size Library via Malicious ICNS Buffer

Publication date: 2026-06-10

Last updated on: 2026-06-15

Assigner: VulnCheck

Description

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to trigger an infinite loop in the ICNS parser, as the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-10

Last Modified

2026-06-15

Generated

2026-06-30

AI Q&A

2026-06-11

EPSS Evaluated

2026-06-29

NVD

CVE-2025-71330

EUVD

EUVD-2025-210105

Affected Vendors & Products

Vendor	Product	Version / Range
image-size	image-size	From 1.1.0 (inc) to 1.2.1 (inc)
image-size	image-size	From 2.0.0 (inc) to 2.0.2 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-835	The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Attack-Flow Graph

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2025-71330 is a denial of service vulnerability in the image-size library versions 1.1.0 to 1.2.1 and 2.0.0 to 2.0.2. It occurs when a remote attacker supplies a specially crafted ICNS image buffer containing valid magic bytes and a zero-valued entry length field. This causes an infinite loop in the ICNS parser because the offset is never incremented, making the while loop condition true indefinitely. As a result, the Node.js event loop is permanently blocked.

Impact Analysis

This vulnerability can cause a denial of service by permanently blocking the Node.js event loop. An attacker can exploit this by sending a malformed ICNS image that triggers an infinite loop in the parser, effectively making the affected application unresponsive and unable to process further events or requests.

Detection Guidance

This vulnerability can be detected by identifying if your system or application is using the image-size library versions 1.1.0 to 1.2.1 or 2.0.0 to 2.0.2, which are affected by the ICNS image parsing issue.

To detect potential exploitation attempts, monitor for Node.js processes that become unresponsive or hang indefinitely, as the vulnerability causes the Node.js event loop to block.

While no specific detection commands are provided, you can use commands to check the installed version of the image-size package, for example:

npm list image-size
yarn list image-size

Additionally, monitoring logs or network traffic for malformed ICNS image buffers being processed might help identify exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade the image-size library to a version later than 2.0.2 where the vulnerability has been addressed.

If an upgrade is not immediately possible, consider implementing input validation or filtering to block or sanitize ICNS image buffers with suspicious or zero-valued entry length fields before they reach the vulnerable parser.

Also, monitor Node.js processes for hangs or unresponsiveness and restart them as a temporary measure to recover from potential denial of service conditions.

Hi! I’m here to help you understand CVE-2025-71330. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70