PatchSiren cyber security CVE debrief
CVE-2025-71319 image-size CVE debrief
CVE-2025-71319 is a high-severity denial of service vulnerability in image-size through 2.0.2. Remote attackers can exploit this vulnerability by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type, causing an infinite loop in the JXL or HEIF image parsers and permanently blocking the Node.js event loop.
- Vendor
- image-size
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-10
Who should care
Developers and administrators using image-size through 2.0.2 in their applications should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by a specially crafted image buffer with a zero-valued size field in a recognized box-type, which can trigger an infinite loop in the JXL or HEIF image parsers. This can cause the Node.js event loop to become permanently blocked, leading to a denial of service.
Defensive priority
high
Recommended defensive actions
- Update to a version of image-size that is not vulnerable (e.g., version 2.0.3 or later).
- Implement input validation and sanitization to prevent specially crafted image buffers from being processed.
- Use a Web Application Firewall (WAF) to detect and block suspicious traffic.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information can be found at [ref-4], [ref-5], and [ref-6].
Official resources
CVE-2025-71319 was published on [cvePublishedAt] and modified on [cveModifiedAt].