CVE-2025-71319
image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop
CVSS
7.5
High
EPSS
0.6%
p47
KEV
—
Exploit Today
14
0-100
Published: Jun 9, 2026 · Last modified: Jul 15, 2026 · CWE-835
0.6%EPSS · 30 days0.6%
2026-06-302026-07-17
image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or HEIF image parsers by providing a crafted image containing a box with a size of zero, causing the offset to never advance and permanently hanging the application.
- joshua.huhttps://joshua.hu/image-size-infinite-loop-dos-vulnerabilities
- web.archive.orghttps://web.archive.org/web/20260224152152/https://github.com/image-size/image-size/pull/439
- www.vulncheck.comhttps://www.vulncheck.com/advisories/image-size-denial-of-service-via-infinite-loop-in-jxl-heif-parser
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33313
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:37272
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2025-71319
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2487296
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-71319.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-48907.5 HIG93.6%
——28A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.3dCVE-2026-428997.5 HIG82.4%
——25Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network.3dCVE-2026-331167.5 HIG80.0%
——24Loop with unreachable exit condition ('infinite loop') in .NET, .NET Framework, Visual Studio allows an unauthorized attacker to deny service over a network.3dCVE-2026-465227.5 HIG76.7%
——23ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, due to a missing check in the MIFF decoder, a crafted file could cause an infinite loop resulting in CPU exhaustion. Versions 7.1.2.23 and 6.9.13-48 fix the issue.3dCVE-2023-301887.5 HIG73.3%
——22Memory Exhaustion vulnerability in ONLYOFFICE Document Server 4.0.3 through 7.3.2 allows remote attackers to cause a denial of service via crafted JavaScript file.9dCVE-2022-233527.5 HIG72.6%
——22An issue in BigAnt Software BigAnt Server v5.6.06 can lead to a Denial of Service (DoS).9d