PatchSiren cyber security CVE debrief
CVE-2025-71330 image-size CVE debrief
CVE-2025-71330 is a high-severity denial of service vulnerability in image-size through 2.0.2. Remote attackers can exploit this vulnerability by supplying a specially crafted ICNS image buffer, potentially causing a permanent block of the Node.js event loop. The vulnerability is caused by an infinite loop in the ICNS parser when it encounters an ICNS buffer with valid magic bytes and a zero-valued entry length field.
- Vendor
- image-size
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Developers and administrators using the image-size package, especially in Node.js environments, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The image-size package through version 2.0.2 contains a denial of service vulnerability. This vulnerability allows remote attackers to cause a permanent block of the Node.js event loop by supplying a specially crafted ICNS image buffer. The attack involves crafting an ICNS buffer with valid magic bytes and a zero-valued entry length field, which triggers an infinite loop in the ICNS parser. This occurs because the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely.
Defensive priority
high
Recommended defensive actions
- Update the image-size package to a version that fixes this vulnerability.
- Implement input validation and sanitization for ICNS image buffers to prevent exploitation.
Evidence notes
The CVE-2025-71330 record was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2025-71330). Additional details can be found on [nvd](https://nvd.nist.gov/vuln/detail/CVE-2025-71330).
Official resources
CVE-2025-71330 was published on 2026-06-10T14:16:30.387Z and modified on 2026-06-10T19:43:28.857Z.