CVE-2025-71330 HIGH

CVE-2025-71330: image-size 2.0.2 Denial of Service via Malformed ICNS Image Parsing

Vendor Image-Size

Product image-size

Weakness CWE-835

Published June 10, 2026

Last update June 10, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to trigger an infinite loop in the ICNS parser, as the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely.

Key dates

02Disclosure timeline

June 10, 2026 CVE published

June 10, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-71330

Related vulnerabilities

Identifiers

CVE CVE-2025-71330

CWE CWE-835

CVSS 8.7 / HIGH

Affected versions

Vendor Image-Size

Product image-size

Affected ≥ 1.1.0 and ≤ 1.2.1

Vendor Image-Size

Product image-size

Affected ≥ 2.0.0 and ≤ 2.0.2

CVE-2025-71330: image-size 2.0.2 Denial of Service via Malformed ICNS Image Parsing

01Description

02Disclosure timeline

03References

04Related CVE