image-size 2.0.2 Denial of Service via Malformed ICNS Image Parsing
CVE-2025-71330

8.7HIGH

Key Information:

Vendor: Image-size
Status: Image-size
Vendor: CVE Published:; 10 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-71330?

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to trigger an infinite loop in the ICNS parser, as the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely.

Affected Version(s)

image-size 1.1.0 <= 1.2.1

image-size 2.0.0 <= 2.0.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-71330 - Proof of Concept

References

https://joshua.hu/image-size-infinite-loop-dos-vulnerabil...

technical-descriptionexploit

https://web.archive.org/web/20260224152152/https://github...

patch

https://www.vulncheck.com/advisories/image-size-denial-of...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 10, 2026
👾
Exploit known to exist
Jun 10, 2026
Vulnerability published
Jun 10, 2026
Vulnerability Reserved
Jun 10, 2026

Credit

Preston Price (@prestonprice57)

CVE-2025-71330 Data

JSON

Image-size

Badges

What is CVE-2025-71330?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit