By vendor
Image-Size vulnerabilities
Known CVEs affecting Image-Size products, prioritized by severity, with SEC.co remediation and detection guidance.
3 published vulnerabilities
- CVE-2025-71319HIGH 7.5
The image-size npm package through version 2.0.2 contains a vulnerability that allows attackers to crash Node.js applications by sending specially crafted image files. When the package processes JXL or HEIF format images containing a box with a zero-valued size field, it enters an infinite loop that permanently blocks the application's event loop, causing a complete denial of service. No authentication or user interaction is required to exploit this issue—an attacker simply needs to send a malicious image to a vulnerable application.
- CVE-2025-71329HIGH 7.5
The image-size Node.js library versions up to 2.0.2 contain a vulnerability that allows an attacker to crash applications by sending a specially crafted image file. The attacker exploits how the library processes certain image formats (JXL and HEIF) by creating a box structure with a size field set to zero. This causes the parser to enter an infinite loop, freezing the application's event loop indefinitely. The attack requires no authentication and can be triggered remotely by any user who can send an image to an affected application.
- CVE-2025-71330HIGH 7.5
The image-size Node.js library through version 2.0.2 contains a denial-of-service flaw that allows attackers to freeze an application's event loop indefinitely. By sending a maliciously crafted ICNS image file with specific properties—valid header signature but a zero-length entry field—an attacker can cause the parser to spin in an endless loop, rendering the application unresponsive. No authentication is required, and the attack succeeds over the network against any system processing untrusted ICNS image data.