HIGH 7.5

CVE-2025-71319: image-size Denial of Service via Malformed JXL/HEIF Images

The image-size npm package through version 2.0.2 contains a vulnerability that allows attackers to crash Node.js applications by sending specially crafted image files. When the package processes JXL or HEIF format images containing a box with a zero-valued size field, it enters an infinite loop that permanently blocks the application's event loop, causing a complete denial of service. No authentication or user interaction is required to exploit this issue—an attacker simply needs to send a malicious image to a vulnerable application.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-835
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-07-15

NVD description (verbatim)

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or HEIF image parsers by providing a crafted image containing a box with a size of zero, causing the offset to never advance and permanently hanging the application.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2025-71319 is a denial of service vulnerability in the image-size library's JXL and HEIF image parsing logic. The vulnerability stems from improper handling of box-type structures where the size field is set to zero. During parsing, the code advances the parsing offset by the box size; when size equals zero, the offset never advances, creating an infinite loop that consumes CPU and blocks the Node.js event loop indefinitely. This prevents the application from processing any further requests or operations. The issue is classified as CWE-835 (Loop with Unreachable Exit Condition).

Business impact

For organizations using image-size in production services, this vulnerability enables trivial denial of service attacks. A single malicious image request can hang an entire application, making services unavailable to legitimate users. This is particularly concerning for web applications, APIs, or microservices that automatically process user-supplied images (thumbnails, uploads, analysis). The impact scales with deployment topology—containerized environments may mask symptoms temporarily through restarts, but do not eliminate the root cause and can incur significant resource overhead.

Affected systems

The image-size npm package version 2.0.2 and earlier are affected. Any application using this package to parse JXL or HEIF image formats is vulnerable. This includes web servers, image processing pipelines, CDNs with image optimization, and any Node.js service that ingests user-supplied image data. Check your project's package-lock.json or yarn.lock to confirm the installed version.

Exploitability

Exploitability is high. The attack requires no authentication, no special privileges, and no user interaction. An attacker needs only to craft a minimal image file with a zero-valued size field in a recognized box structure and send it to an application processing images. No interaction with end users or admins is required. The barrier to weaponization is extremely low, making this a practical threat in any environment where user-supplied image uploads or processing occurs.

Remediation

Upgrade image-size to a version patched for this issue. Verify the patch version against the official npm package repository and the vendor's advisory. In the interim, if upgrading is not immediately feasible, implement strict image format validation and file size limits upstream of the image-size library, and consider rate-limiting or rejecting image processing requests from untrusted sources. Monitor application event loop latency and CPU usage for signs of exploitation.

Patch guidance

Check the npm registry for image-size versions published after 2.0.2. Apply the patched version via your package manager (npm update image-size or yarn upgrade image-size). Verify the fix by reviewing the vendor's release notes to confirm the JXL and HEIF parsing logic has been corrected to properly handle zero-sized boxes. Test the patch in a non-production environment before rolling out to production services.

Detection guidance

Monitor for spikes in CPU usage or event loop lag coinciding with image processing requests. Log and inspect image files submitted to the application for unusual box structures or zero-sized fields. Implement network-level detection by inspecting incoming image traffic for malformed JXL or HEIF headers. Application performance monitoring (APM) tools can alert on event loop blocking or request timeouts during image processing operations. Consider fuzzing your image processing endpoints with crafted payloads to validate fixes.

Why prioritize this

This vulnerability merits rapid remediation due to its high CVSS score (7.5), trivial exploitability, and severe business impact. Unlike vulnerabilities requiring specific user actions or authenticated access, this attack can be executed by any network attacker against any application using image-size for JXL or HEIF parsing. The ease of triggering a complete denial of service makes this a priority for any organization relying on image processing.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects a network-accessible vulnerability with low complexity and no privilege or user interaction requirements. The attack vector is network-based, and the impact is a complete denial of service (availability is fully compromised). While confidentiality and integrity are not affected, the severity justifies urgent patching due to the ease of exploitation and business criticality of service availability.

Frequently asked questions

Does this vulnerability affect image-size versions before 2.0.2?

The advisory states the vulnerability affects image-size through version 2.0.2, meaning all earlier versions are also vulnerable. If you are using any version prior to the patched release, upgrade immediately.

Can this vulnerability leak sensitive data or modify files?

No. This vulnerability only causes denial of service by blocking the event loop. It does not allow reading, writing, or exfiltrating data. The attack is limited to crashing or hanging the application.

What image formats are affected?

The vulnerability specifically affects JXL (JPEG XL) and HEIF (High Efficiency Image Format) parsing. Applications processing other formats through image-size may still be vulnerable if they include JXL or HEIF support enabled by default.

Is there a workaround if we cannot patch immediately?

Possible interim measures include disabling JXL and HEIF support if not required, validating image files with external tools before passing them to image-size, implementing request-level rate limiting on image endpoints, and using containerized deployments with automatic restart policies. However, these are temporary mitigations only—patching is the proper fix.

This analysis is based on published CVE data as of the modification date (2026-07-15). Verification of patch availability, patch version numbers, and specific remediation steps should be confirmed directly with the npm package repository and official vendor advisories. Organizations should conduct their own risk assessment based on their specific use cases, deployment environments, and image-size usage patterns. This vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, but absence from KEV does not indicate low risk or reduced likelihood of exploitation. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).