CVE-2025-71330

Source
https://cve.org/CVERecord?id=CVE-2025-71330
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71330.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-71330
Published
2026-06-10T13:02:04.764Z
Modified
2026-07-08T07:01:39.636024745Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
image-size 2.0.2 Denial of Service via Malformed ICNS Image Parsing
Details

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to trigger an infinite loop in the ICNS parser, as the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71330.json",
    "cwe_ids": [
        "CWE-835"
    ],
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/image-size/image-size

Affected ranges

Type
GIT
Repo
https://github.com/image-size/image-size
Events
Database specific
{
    "cpe": "cpe:2.3:a:image-size:image-size:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "1.1.0"
        },
        {
            "last_affected": "1.2.1"
        },
        {
            "introduced": "2.0.0"
        },
        {
            "last_affected": "2.0.2"
        }
    ]
}

Affected versions

v1.*
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v2.*
v2.0.0
v2.0.1
v2.0.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71330.json"