CVE-2025-71319

Description

image-size 1.1.0 before 1.2.1 and 2.0.0 before 2.0.2 contain a denial of service vulnerability in the findBox function when processing specially crafted images with zero-sized boxes. Remote attackers can cause application hang by supplying malicious JXL, HEIF, or JP2 image files with box size zero, triggering infinite loops during image validation.

References

• https://github.com/image-size/image-size/security/advisories/GHSA-m5qc-5hw7-8vg7
• https://www.vulncheck.com/advisories/image-size-denial-of-service-via-infinite-loop-in-findbox-function