CVE-2025-71329: Infinite Loop DoS in image-size Library—Vulnerability Explanation & Patch Guidance
The image-size Node.js library versions up to 2.0.2 contain a vulnerability that allows an attacker to crash applications by sending a specially crafted image file. The attacker exploits how the library processes certain image formats (JXL and HEIF) by creating a box structure with a size field set to zero. This causes the parser to enter an infinite loop, freezing the application's event loop indefinitely. The attack requires no authentication and can be triggered remotely by any user who can send an image to an affected application.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-835
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or HEIF image parsers by providing a crafted image containing a box with a size of zero, causing the offset to never advance and permanently hanging the application.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2025-71329 is an infinite loop vulnerability (CWE-835) in the image-size library's JXL and HEIF image parsers. The vulnerability occurs when the parser encounters a box with a zero-valued size field. Because the parser advances its offset based on the box size, a zero-sized box causes the offset to remain unchanged, creating an infinite loop condition that permanently blocks the Node.js event loop. The issue affects versions through 2.0.2 and can be triggered by supplying a malformed image buffer to the library's parsing functions.
Business impact
Applications relying on image-size for image processing face denial-of-service risk. A single malicious image upload or processing request can hang the entire Node.js process, making the application unresponsive to legitimate users. For services handling user-submitted images (content platforms, media management systems, image optimization pipelines), this vulnerability creates a vector for application-level denial of service that requires no special privileges to exploit. Availability impact is severe, though data confidentiality and integrity are not affected.
Affected systems
The image-size Node.js package version 2.0.2 and earlier are vulnerable. Any application that imports and uses image-size to analyze JXL or HEIF image formats is at risk. This includes web applications, image processing services, content management systems, and automation workflows that accept user-supplied images. Applications using only other image formats supported by the library (PNG, JPEG, GIF, etc.) are unaffected by this specific vulnerability.
Exploitability
This vulnerability is straightforward to exploit and requires minimal complexity. An attacker needs only to craft a valid image file with a box containing a zero size field and supply it to an application using image-size. No special tooling, authentication, or user interaction is required—a network-accessible endpoint that processes images is sufficient. The attack surface is high for any service accepting image uploads or processing images from untrusted sources.
Remediation
Organizations should upgrade the image-size package to a patched version as soon as one is released by the maintainers. Until a patch is available, implement input validation and sandboxing: restrict image format support to formats not vulnerable to this issue (avoiding JXL and HEIF processing if possible), implement timeout mechanisms on image parsing operations, and consider processing images in isolated worker processes that can be safely terminated. Monitor npm for updates to image-size and prioritize patching in your dependency chain.
Patch guidance
Check the image-size npm package repository for version releases after 2.0.2. Verify the patch version number against the official npm registry and the project's GitHub releases. Update your package.json dependency to the fixed version and rebuild your application. If using npm, run 'npm update image-size' after the patch is available. Test image processing functionality after upgrade, particularly with JXL and HEIF formats, to confirm the infinite loop is resolved.
Detection guidance
Monitor Node.js processes for event loop blocking and hangs when processing images. Implement application-level timeouts on image parsing operations—if image-size takes longer than expected (e.g., >5 seconds for a typical image), terminate the operation. Review application logs for stuck or frozen processes correlating with image processing requests. Consider implementing runtime analysis to detect infinite loops in parsing libraries. Network-based detection is limited; focus on application behavior monitoring and dependency scanning in your CI/CD pipeline.
Why prioritize this
This is a HIGH severity vulnerability (CVSS 7.5) due to high exploitability and significant availability impact. It requires no authentication, no user interaction, and no special network conditions. The attack surface is broad for any web service or API accepting images. While the CVSS reflects availability-only impact, the ease of exploitation and potential for widespread application crashes in image-processing workflows makes rapid patching important. It is not currently listed in CISA's KEV catalog, but organizations should treat it as priority given the low barrier to exploitation.
Risk score, explained
The CVSS v3.1 score of 7.5 reflects a HIGH severity vulnerability with a network attack vector, low attack complexity, no privileges required, and no user interaction. The impact is limited to availability (permanent denial of service), with no confidentiality or integrity compromise. The score appropriately reflects the seriousness for availability-focused services but may underestimate risk for mission-critical applications where extended downtime is unacceptable.
Frequently asked questions
Do I need to worry about this if I only process PNG and JPEG images?
No. This vulnerability is specific to JXL and HEIF image format parsing. If your application does not process JXL or HEIF files, or if you've disabled those format handlers, you are not affected by this particular vulnerability.
What happens if an image-size parser hangs—can the application recover automatically?
No. An infinite loop in the Node.js event loop is permanent for that process. The process will remain hung indefinitely, requiring manual termination or restart. This is why timeout mechanisms and sandboxed processing are important mitigations.
Is there a workaround if we can't patch immediately?
Yes, implement a timeout wrapper around image-size calls (e.g., using Promise.race() with a timeout). Additionally, process images in worker threads or child processes that can be forcefully terminated if they exceed a time threshold. Disable JXL and HEIF processing if not needed for your use case.
Will updating image-size break my application?
Most updates should be backward-compatible. However, test the patched version in a staging environment first, especially if you rely on specific parsing behavior or image format handling. The fix itself should only eliminate the infinite loop without changing the API.
This analysis is based on vulnerability data published as of June 2026. Patch availability, exploit status, and vendor advisories may change; verify the latest status with the image-size project on npm and GitHub before deployment. This is an informational resource and does not constitute security advice tailored to your specific environment. Organizations should conduct their own risk assessment based on their image-size usage, supported formats, and business criticality of image processing services. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-71319HIGHimage-size Denial of Service via Malformed JXL/HEIF Images
- CVE-2025-71330HIGHDenial of Service in image-size ICNS Parser
- CVE-2026-44186HIGHApache HTTP Server mod_proxy_ftp Infinite Loop Denial of Service
- CVE-2026-46385HIGHiskorotkov/avro Denial-of-Service via Unbounded Block Iteration
- CVE-2026-10028MEDIUMglib-networking GnuTLS Certificate Validation Denial-of-Service
- CVE-2026-41150MEDIUMMermaid Gantt Chart DoS via Excludes Attribute
- CVE-2026-44740MEDIUMBilly Go Library Denial-of-Service via Input Validation Flaws
- CVE-2026-46146MEDIUMLinux Kernel USB Audio Infinite Loop DoS Vulnerability