PatchSiren cyber security CVE debrief
CVE-2025-71329 image-size CVE debrief
CVE-2025-71329 is a high-severity denial of service vulnerability in image-size through 2.0.2. Remote attackers can exploit this vulnerability by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type, causing an infinite loop in the JXL or HEIF image parsers and permanently hanging the application. The vulnerability has a CVSS score of 8.7 and is considered HIGH severity.
- Vendor
- image-size
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Developers and administrators using image-size through 2.0.2 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by a specially crafted image buffer with a zero-valued size field in a recognized box-type, which can trigger an infinite loop in the JXL or HEIF image parsers.
Defensive priority
High
Recommended defensive actions
- Update image-size to a version greater than 2.0.2
- Validate and sanitize image inputs to prevent specially crafted image buffers
Evidence notes
The vulnerability was reported by Joshua and is documented in the CVE-2025-71329 record on [cve-org](resourceLinkAnnotations.cve-org). Additional information can be found on [nvd](resourceLinkAnnotations.nvd), [ref-4](resourceLinkAnnotations.ref-4), [ref-5](resourceLinkAnnotations.ref-5), and [ref-6](resourceLinkAnnotations.ref-6).
Official resources
CVE-2025-71329 was published on 2026-06-10T14:16:30.160Z and modified on 2026-06-10T19:43:28.857Z.