Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71329

CVE-2025-71329: image-size Library DoS Vulnerability

CVE-2025-71329 is a denial of service flaw in image-size through 2.0.2 that allows attackers to block Node.js event loop with crafted images. This post covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-71329 Overview

CVE-2025-71329 is a denial of service vulnerability in the image-size Node.js package through version 2.0.2. The flaw lives in the JPEG XL (JXL) and High Efficiency Image Format (HEIF) parsers. A remote attacker can supply a crafted image buffer that contains a recognized box-type with a size field set to zero. The parser fails to advance its offset and enters an infinite loop, permanently blocking the Node.js event loop. Any application that processes untrusted images through image-size can be hung indefinitely with a single malicious file. The weakness is classified as [CWE-835] Loop with Unreachable Exit Condition.

Critical Impact

A single crafted JXL or HEIF buffer permanently hangs the Node.js event loop, halting all request processing in the affected service.

Affected Products

  • image-size npm package versions up to and including 2.0.2
  • Node.js applications that pass untrusted image data to image-size
  • Server-side image processing pipelines and web services depending on this library

Discovery Timeline

  • 2026-06-10 - CVE-2025-71329 published to NVD
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2025-71329

Vulnerability Analysis

The image-size library parses container formats by walking a sequence of boxes. Each box begins with a size field followed by a four-byte type identifier. The JXL and HEIF parsers use the size field to advance an internal offset to the next box. When a parser encounters a recognized box-type with a size of zero, the offset increment becomes zero. The while-loop driving the parser then re-reads the same box on every iteration and never reaches the end of the buffer.

Because Node.js executes JavaScript on a single event loop thread, the runaway loop blocks every other pending task. Inbound HTTP requests, timers, and I/O callbacks all stall until the process is terminated. The attacker needs no authentication or user interaction, only the ability to deliver an image buffer to a code path that calls image-size.

Root Cause

The parsers trust the box size value without validating that it is greater than zero before using it to advance the read offset. There is no minimum-size check and no upper bound on parsing iterations. A zero-valued size in any recognized box-type therefore produces an unterminated loop, matching the classic [CWE-835] pattern.

Attack Vector

Exploitation requires sending a crafted JXL or HEIF file to any endpoint that hands the bytes to image-size. Common vectors include user avatar uploads, image preview generation, thumbnailing services, and metadata extraction in content pipelines. The attack consumes minimal bandwidth — a small file is sufficient — but renders the worker process unresponsive until manual restart.

The vulnerability mechanism is documented in the VulnCheck Advisory on DoS and in Joshua's DoS Loop Vulnerabilities. No verified proof-of-concept code is reproduced here.

Detection Methods for CVE-2025-71329

Indicators of Compromise

  • Node.js worker processes pinned at 100% CPU on a single core with no progress on the event loop
  • Health check endpoints timing out shortly after an image upload or fetch operation
  • Inbound JXL or HEIF files where the first box header declares a size of zero
  • Stack traces or --prof output showing repeated execution inside JXL or HEIF parsing functions of image-size

Detection Strategies

  • Inventory package.json and package-lock.json files across repositories and build artifacts for image-size at or below 2.0.2.
  • Inspect image ingress points and confirm whether attacker-controlled bytes reach the library.
  • Add request timeouts and per-worker watchdogs that flag image parsing calls exceeding an expected duration.

Monitoring Recommendations

  • Alert on sustained single-thread CPU saturation in Node.js services that handle uploads.
  • Log file type, size, and source for every call into image-size to support post-incident triage.
  • Track event-loop lag metrics and trigger alerts when lag exceeds normal baselines for the workload.

How to Mitigate CVE-2025-71329

Immediate Actions Required

  • Upgrade image-size to a version above 2.0.2 once a fixed release is published by the maintainers.
  • Audit all direct and transitive dependencies using npm ls image-size and pin the patched version.
  • Restrict image parsing to isolated worker processes with strict CPU and wall-clock limits.
  • Reject JXL and HEIF inputs at the application boundary until a patched version is deployed.

Patch Information

Fix discussion and code changes are tracked in the upstream repository as referenced by the GitHub Pull Request Analysis. Consult the VulnCheck Advisory on DoS for the authoritative list of fixed versions before deploying.

Workarounds

  • Run image-size calls inside a Node.js worker_thread with a timeout that terminates the worker if parsing exceeds a safe threshold.
  • Validate file headers and reject buffers whose first box declares a size of zero before invoking the parser.
  • Block JXL and HEIF MIME types at the upload gateway if those formats are not required by the application.
bash
# Configuration example: enforce a parser timeout using a worker thread
node -e "const { Worker } = require('worker_threads'); const w = new Worker('./parse-image.js', { workerData: buf }); const t = setTimeout(() => w.terminate(), 2000); w.on('exit', () => clearTimeout(t));"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.