CVE-2025-71330 | image-size through 2.0.2 contains a denial of service vulner… | CVSS 7.5 HIGH

Description

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to trigger an infinite loop in the ICNS parser, as the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely.

Metadata

CVE ID: CVE-2025-71330
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-10 12:57 UTC
Published: 2026-06-10 13:02 UTC
Last updated: 2026-06-10 14:05 UTC
Primary CWE: CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
Vendor / Product: image-size / image-size
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
image-size	image-size	—	1.1.0 ≤ 1.2.1, 2.0.0 ≤ 2.0.2

Weakness (CWE)

CWE	Source	Description
CWE-835	cna	Loop with Unreachable Exit Condition ('Infinite Loop')

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.7	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
7.5	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (3)