CVE-2026-8814

MEDIUM NVD

CVSS Score 5.3

Severity MEDIUM

Published May 19, 2026

Vendor unknown

Description

Versions of the package exifreader before 4.39.0 are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) due to decompressing PNG zTXt metadata without enforcing a built-in maximum decompressed output size. When asynchronous parsing is enabled, a crafted PNG file containing a highly compressed zTXt chunk can cause ExifReader to materialize a disproportionately large Comment value in memory.

References

https://gist.github.com/yuki-matsuhashi/cad1a45d936062438b4ab24613c34c55
https://github.com/mattiasw/ExifReader/commit/5f116128adc19f674902f8bf582bfe7dd0a36375
https://security.snyk.io/vuln/SNYK-JS-EXIFREADER-16689340