Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71319

CVE-2025-71319: image-size DoS Vulnerability

CVE-2025-71319 is a denial of service vulnerability in image-size library through version 2.0.2 that allows attackers to block the Node.js event loop with crafted images. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-71319 Overview

CVE-2025-71319 is a denial of service vulnerability affecting the image-size Node.js library through version 2.0.2. The flaw resides in the JPEG XL (JXL) and High Efficiency Image Format (HEIF) parsers, which fail to validate the size field of recognized box-type structures. A remote attacker can supply a crafted image buffer containing a box with a size of zero, causing the parser offset to stop advancing. The parsing loop never terminates, permanently blocking the Node.js event loop and rendering the application unresponsive. The vulnerability is tracked under CWE-835: Loop with Unreachable Exit Condition.

Critical Impact

Remote, unauthenticated attackers can hang any Node.js service that parses untrusted JXL or HEIF images using image-size, causing total service unavailability.

Affected Products

  • image-size npm package, all versions through 2.0.2
  • Node.js applications and services that pass attacker-controlled image data to image-size
  • Upstream web services, image processing pipelines, and content management systems embedding the affected library

Discovery Timeline

  • 2026-06-09 - CVE-2025-71319 published to the National Vulnerability Database
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2025-71319

Vulnerability Analysis

The image-size library parses container formats such as JXL and HEIF by iterating through a sequence of boxes. Each box advertises its own size, and the parser advances its offset by that value before reading the next box. The JXL and HEIF parsers do not reject a box whose declared size is zero. When the offset increment is zero, the loop counter never moves forward, and the parser re-reads the same box indefinitely. Because Node.js executes JavaScript on a single thread, this infinite loop blocks the event loop. Inbound requests, timers, and I/O callbacks cannot run until the process is restarted. The denial of service is permanent for the affected worker until external intervention.

Root Cause

The root cause is missing validation of the box size field in the JXL and HEIF parsing routines. Standard parser hygiene requires that any length-prefixed structure reject lengths smaller than the minimum header size. The affected versions perform no such lower-bound check, so a single malicious image is sufficient to trigger the unreachable exit condition described in [CWE-835].

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker uploads or supplies a crafted JXL or HEIF image to any endpoint that forwards image bytes to image-size. Common entry points include avatar uploads, image metadata extraction services, thumbnail generators, and serverless functions that probe image dimensions before storage. The attacker crafts a container with a valid magic signature followed by a box header declaring a size of zero. When the parser reaches that box, it enters the infinite loop and the hosting process becomes unresponsive.

No verified public exploit code is referenced in the advisory. See the VulnCheck Advisory: Image Size DoS and Joshua's DoS Vulnerability Analysis for additional technical details.

Detection Methods for CVE-2025-71319

Indicators of Compromise

  • Node.js worker processes consuming 100% of a single CPU core while serving no traffic
  • Application health checks timing out shortly after an image upload or image-processing request
  • Log gaps where an inbound request to an image-handling endpoint is received but no completion or error event follows
  • Inbound HTTP requests carrying JXL or HEIF payloads that immediately precede process hangs

Detection Strategies

  • Inventory all direct and transitive uses of image-size with npm ls image-size and flag any version at or below 2.0.2
  • Inspect proxy and web application firewall logs for requests with Content-Type: image/jxl or image/heif targeting upload endpoints
  • Add per-request timeouts around image-size calls and alert when timeouts fire, since the library itself does not return on a malicious input
  • Capture pcap or request samples of HEIF and JXL uploads and statically inspect for box headers declaring a size of zero

Monitoring Recommendations

  • Monitor event loop lag in Node.js services using perf_hooks or APM agents and alert on sustained lag above one second
  • Track per-process CPU saturation combined with stalled request counters in load balancer telemetry
  • Forward image-processing service logs to a central analytics backend and correlate upload events with subsequent worker restarts
  • Alert on repeated requests of identical small JXL or HEIF payloads from a single source address within a short window

How to Mitigate CVE-2025-71319

Immediate Actions Required

  • Upgrade image-size to a patched release above 2.0.2 once available and rebuild dependent services
  • Run image-size calls inside a worker thread or child process with a hard execution timeout so a hang cannot stall the main event loop
  • Reject uploads with JXL or HEIF MIME types at the edge until the library is patched if those formats are not required
  • Rate-limit image-processing endpoints and require authentication where business logic allows

Patch Information

A fix is tracked in the upstream repository through the pull request archived at the GitHub Pull Request Archive. Consumers should monitor the image-size npm registry page and upgrade to the first release that incorporates lower-bound validation of the box size field for JXL and HEIF parsing. Confirm the fix by reviewing the package changelog for references to CVE-2025-71319 or CWE-835.

Workarounds

  • Wrap calls to image-size in Promise.race against a timeout promise to forcibly abandon parsing of malicious inputs
  • Offload image parsing to a sandboxed worker process that can be killed and respawned without affecting the main service
  • Pre-validate uploaded files by checking that any container box header declares a size greater than or equal to its minimum header length before invoking image-size
  • Disable JXL and HEIF support in upstream image-validation middleware where these formats are not part of the supported feature set

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.