HIGH 7.5

CVE-2025-71330: Denial of Service in image-size ICNS Parser

The image-size Node.js library through version 2.0.2 contains a denial-of-service flaw that allows attackers to freeze an application's event loop indefinitely. By sending a maliciously crafted ICNS image file with specific properties—valid header signature but a zero-length entry field—an attacker can cause the parser to spin in an endless loop, rendering the application unresponsive. No authentication is required, and the attack succeeds over the network against any system processing untrusted ICNS image data.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-835
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to trigger an infinite loop in the ICNS parser, as the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the ICNS image format parser within image-size. The parser uses a while loop to iterate through ICNS directory entries, incrementing an offset variable with each iteration. When an attacker supplies an entry with a zero-valued length field, the offset is never advanced (since the length is zero), and the loop condition remains perpetually satisfied. This causes the parser thread to consume 100% CPU and never yield control back to the Node.js event loop, effectively denying service to the entire application. The flaw is classified as an infinite loop (CWE-835) resulting in resource exhaustion.

Business impact

Applications that use image-size to process user-supplied or untrusted ICNS images face immediate availability risk. A single malicious ICNS upload can hang worker processes or entire services. Organizations hosting image processing pipelines, CDN services, or user file upload features are particularly exposed. The impact is service degradation or outage rather than data loss or unauthorized access, but availability failures directly affect SLA compliance and customer trust. Downstream users of image-size who incorporate it into security scanning or validation workflows may also experience cascading failures.

Affected systems

The image-size npm package version 2.0.2 and earlier are affected. This includes any Node.js application or microservice that imports image-size and calls its functions on ICNS image buffers without pre-validation. Web frameworks, content management systems, media processing tools, and cloud-based image hosting solutions that depend on image-size are in scope. Verify your dependency tree; image-size may be a transitive dependency of another package you use.

Exploitability

Exploitation is straightforward and requires no credentials or special privileges. An attacker only needs to craft and deliver a malicious ICNS file to an application endpoint that processes images. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects that the attack is network-accessible, has low complexity, requires no privileges, and does not depend on user interaction. However, exploitation is conditional on the application actually parsing ICNS files; applications that ignore ICNS or reject untrusted image formats are unaffected.

Remediation

Upgrade image-size to a version that includes the fix. Verify the patch version number in the project's release notes or GitHub repository, as stable patches are expected to be published. Alternatively, implement strict input validation upstream: reject or sandbox ICNS files if they are not essential to your use case, apply file-type whitelisting, and consider isolating image processing in separate worker processes with timeout guards. Rate-limiting on file uploads can reduce attack surface.

Patch guidance

Monitor the image-size project repository and npm package for a patched release beyond version 2.0.2. When available, update via npm update or npm install image-size@latest and run your test suite to confirm compatibility. If you maintain a lock file, regenerate it after updating. If you are a downstream maintainer of a package that depends on image-size, prioritize this update and release a new version that pins a safe version of image-size.

Detection guidance

Monitor for sudden CPU spikes or event loop lag in Node.js processes handling image uploads. Application performance monitoring tools should flag process hang events. In logs, look for ICNS parsing initiation followed by process unresponsiveness. Implement timeout guards around image processing calls. Network-level detection is challenging without deep packet inspection, but rate-limiting unusual or repeated failed image upload attempts may catch opportunistic attacks. Intrusion detection systems tuned for DoS patterns may identify multiple malicious ICNS submissions.

Why prioritize this

Although this vulnerability does not appear in the CISA Known Exploited Vulnerabilities (KEV) catalog, the high CVSS score (7.5) and trivial exploitation complexity warrant urgent patching, especially for publicly exposed image processing services. The DoS vector is straightforward and requires minimal attacker resources. Organizations with high-availability requirements or those accepting user-supplied images should prioritize this within 7–14 days.

Risk score, explained

The CVSS:3.1 score of 7.5 reflects high severity due to the availability impact (A:H), network accessibility (AV:N), and low attack complexity (AC:L). No confidentiality or integrity impact exists (C:N/I:N), limiting the score to the high range. The lack of authentication (PR:N) and no user interaction requirement (UI:N) make this remotely exploitable by any attacker. Organizations should treat a 7.5 HIGH vulnerability as a significant risk, especially when the attack vector is straightforward and the defending action (upgrade) is low-risk.

Frequently asked questions

Does this vulnerability affect image-size users on all platforms, or only specific operating systems?

The vulnerability affects image-size on all platforms (Linux, macOS, Windows, etc.) where Node.js runs, since the flaw is in the JavaScript parser logic, not in OS-specific code. ICNS is a macOS image format, but the parsing logic flaw exists regardless of the server's OS.

If our application does not use ICNS image format, are we safe?

Yes, if your application never calls image-size functions on ICNS buffers or always filters out ICNS files before processing, you are not directly at risk. However, verify that image-size is not being invoked on untrusted binary data in other code paths, and confirm that any transitive dependencies do not expose ICNS parsing without safeguards.

What is the difference between this vulnerability and a typical crash or hang vulnerability?

This vulnerability causes a resource-exhaustion event loop hang that freezes the entire Node.js process, rather than a segmentation fault or controlled exception. This makes it particularly impactful for single-threaded Node.js applications and requires process restart recovery. Containerized deployments with liveness probes may auto-recover, but the attack prevents legitimate traffic from being served during the hang.

Should we implement a timeout wrapper around image-size as a temporary mitigation?

Yes. Wrapping image-size calls in a timeout (e.g., 5–10 second limit) or using a child process with process.timeout() can prevent indefinite hangs while you patch. This is a good short-term mitigation for high-traffic services but should not replace upgrading to a patched version, as it adds overhead and may discard legitimate large images.

This analysis is provided for informational and defensive purposes only. The information is accurate as of the published and modified dates listed. Readers should verify patch version numbers and remediation steps against the official vendor advisory and project repository before deploying changes. Neither SEC.co nor its authors warrant the completeness, timeliness, or accuracy of any remediation guidance; organizations are responsible for testing patches in their own environments before production deployment. This vulnerability is not listed in the CISA KEV catalog as of the analysis date, but status may change. Consult the official npm security advisory and image-size GitHub repository for the latest information. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).