CVE-2025-71330 Overview
CVE-2025-71330 is a denial of service vulnerability in the image-size Node.js library through version 2.0.2. Remote attackers can permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. The flaw resides in the ICNS parser, which fails to increment its offset when an entry length field is zero. This causes the parsing while loop to remain true indefinitely, producing an infinite loop condition tracked as [CWE-835].
Critical Impact
A single malformed ICNS image submitted to any server-side application using image-size can stall the Node.js event loop, halting all request processing and producing a complete service outage.
Affected Products
- image-size npm package versions through 2.0.2
- Node.js applications that process untrusted ICNS image input via image-size
- Server-side image processing pipelines depending on the vulnerable parser
Discovery Timeline
- 2026-06-10 - CVE-2025-71330 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2025-71330
Vulnerability Analysis
The image-size library parses image metadata across multiple formats, including Apple Icon Image (ICNS). The ICNS parser iterates through entries in the buffer using a while loop that advances an offset based on each entry's length field. When a crafted ICNS buffer contains valid magic bytes followed by an entry whose length field is set to zero, the parser never advances the offset. The loop condition continues to evaluate as true, and the parser executes indefinitely on a single thread.
Node.js uses a single-threaded event loop. An infinite loop inside synchronous parsing code blocks all other request handlers, timers, and I/O callbacks. The result is a complete denial of service for the affected process.
Root Cause
The root cause is missing input validation on the ICNS entry length field. The parser assumes each entry advances the read position by a positive number of bytes. It does not enforce a minimum increment or reject zero-valued length fields. This violates safe parsing practices for attacker-controlled binary formats and maps directly to [CWE-835] (Loop with Unreachable Exit Condition).
Attack Vector
An unauthenticated remote attacker submits a crafted ICNS file to any endpoint that passes user-supplied image data to image-size. Common exposures include avatar upload handlers, image preview services, and file metadata extractors. No authentication, user interaction, or special privileges are required. The Node.js worker handling the request becomes unresponsive and remains stuck until the process is terminated.
For technical analysis of the parsing flaw, see the Joshua Hu DoS Vulnerabilities writeup and the VulnCheck DoS Advisory.
Detection Methods for CVE-2025-71330
Indicators of Compromise
- Node.js worker processes consuming 100% CPU on a single core with no progress on request handling
- HTTP request timeouts and event loop lag spikes correlated with ICNS or .icns file uploads
- Inbound files with the ICNS magic bytes icns followed by entry headers containing a zero-valued length field
Detection Strategies
- Inventory dependencies and flag any application that resolves image-size at version 2.0.2 or earlier using npm ls image-size
- Monitor Node.js event loop lag through metrics such as perf_hooks.monitorEventLoopDelay and alert on sustained delays above operational baselines
- Inspect uploaded image files at the gateway for the ICNS format and validate entry length fields before passing buffers to downstream parsers
Monitoring Recommendations
- Log and alert on long-running synchronous handlers and processes that fail health checks while pinned to one CPU
- Track upload endpoints for anomalous file types, especially .icns submissions to services that do not require Apple icon processing
- Correlate web application logs with process restarts to identify repeated DoS attempts targeting image parsing routes
How to Mitigate CVE-2025-71330
Immediate Actions Required
- Upgrade image-size to a fixed version above 2.0.2 once published by the maintainers, tracked in the upstream pull request
- Restrict accepted image formats at the application layer and reject ICNS uploads where they are not a functional requirement
- Run image parsing in worker threads or isolated child processes with strict execution timeouts to contain runaway parsers
Patch Information
The fix is tracked in the upstream image-size repository through pull request 439, which adds validation to prevent the ICNS parser from looping when the entry length field is zero. Refer to the GitHub Pull Request Archive and the VulnCheck DoS Advisory for the patched release version.
Workarounds
- Wrap calls to image-size in a timeout using worker_threads and terminate workers that exceed an expected parsing duration
- Validate ICNS buffers before parsing by rejecting any entry header with a length field of zero or below the minimum valid size
- Deploy a request-size limit and content-type allowlist at the reverse proxy to reduce exposure of the parsing endpoint
# Audit and update the vulnerable dependency
npm ls image-size
npm install image-size@latest
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

