CVE-2025-71329 HIGH

CVE-2025-71329: image-size 2.0.2 Denial of Service via Infinite Loop in JXL/HEIF Parser

Vendor Image-Size

Product image-size

Weakness CWE-835

Published June 10, 2026

Last update June 10, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or HEIF image parsers by providing a crafted image containing a box with a size of zero, causing the offset to never advance and permanently hanging the application.

Key dates

02Disclosure timeline

June 10, 2026 CVE published

June 10, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-71329

Related vulnerabilities

Identifiers

CVE CVE-2025-71329

CWE CWE-835

CVSS 8.7 / HIGH

Affected versions

Vendor Image-Size

Product image-size

Affected ≥ 1.1.0 and ≤ 1.2.1

Vendor Image-Size

Product image-size

Affected ≥ 2.0.0 and ≤ 2.0.2

CVE-2025-71329: image-size 2.0.2 Denial of Service via Infinite Loop in JXL/HEIF Parser

01Description

02Disclosure timeline

03References

04Related CVE