image-size 2.0.2 Denial of Service via Infinite Loop in JXL/HEIF Parser
CVE-2025-71329

8.7HIGH

Key Information:

Vendor: Image-size
Status: Image-size
Vendor: CVE Published:; 10 June 2026

Badges

👾 Exploit Exists

What is CVE-2025-71329?

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or HEIF image parsers by providing a crafted image containing a box with a size of zero, causing the offset to never advance and permanently hanging the application.

Affected Version(s)

image-size 1.1.0 <= 1.2.1

image-size 2.0.0 <= 2.0.2

References

https://joshua.hu/image-size-infinite-loop-dos-vulnerabil...

technical-descriptionexploit

https://web.archive.org/web/20260224152152/https://github...

patch

https://www.vulncheck.com/advisories/image-size-denial-of...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 10, 2026
👾
Exploit known to exist
Jun 10, 2026
Vulnerability published
Jun 10, 2026
Vulnerability Reserved
Jun 10, 2026

Credit

Joshua Rogers (@MegaManSec)

CVE-2025-71329 Data

JSON

Image-size

Badges

What is CVE-2025-71329?

Affected Version(s)

References

CVSS V4

Timeline

Credit