CVE-2026-53946

Ghost (Node.js CMS) is affected in versions 6.19.4–6.21.1. During post re-render, Ghost fetches image dimensions by issuing an outbound HTTP request to the URL stored on an image card, without restricting allowed hosts. An authenticated staff user who can create or edit posts could point an image...

CVE-2025-71319

A flaw was found in image-size. This vulnerability allows a remote attacker to cause a Denial of Service DoS by supplying specially crafted JXL, HEIF, or JP2 image files that contain zero-sized boxes. The findBox function, responsible for image validation, enters an infinite loop when processing...

Astra Linux – Vulnerability in pillow

In Pillow before 8.1.2, attackers can cause a denial of service due to excessive memory consumption. This occurs because the reported size of the contained image is not properly checked for an ICO container. As a result, a memory allocation attempt can be quite large...

CVE-2025-71330

A flaw was found in image-size. A remote attacker can exploit this vulnerability by providing a specially crafted ICNS image buffer. This malicious buffer, containing valid magic bytes and a zero-valued entry length, causes an infinite loop in the ICNS parser. This can permanently block the Node....

Linux Distros Unpatched Vulnerability : CVE-2025-71330

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a...

SUSE CVE-2025-71329

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or...

SUSE CVE-2025-71330

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to...

Allocation of Resources Without Limits or Throttling

Overview Magick.NET-Q16-HDRI-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop in the extractPartialStreams and corresponding extraction functions for HEIF, JP2, and JXL. An attacker supplying an image whose requested box declares a size of zero can hang the parser indefinitely. Note: This is a bypas...

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop in the extractPartialStreams and corresponding extraction functions for HEIF, JP2, and JXL. An attacker supplying an image whose requested box declares a size of zero can hang the parser indefinitely. Note: This is a bypas...

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop in icns.js. An ICNS file with an icon entry whose declared length is zero can hang the parser indefinitely. Remediation There is no fixed version for image-size. References - GitHub PR - Vulnerability Report - Vulnerable C...

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop in icns.js. An ICNS file with an icon entry whose declared length is zero can hang the parser indefinitely. Remediation There is no fixed version for org.webjars.npm:image-size. References - GitHub PR - Vulnerability Repor...

CVE-2025-71330

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to...

CVE-2025-71329

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or...

CVE-2025-71329

The CVE-2025-71329 vulnerability affects image-size up to version 2.0.2 and is triggered by a crafted image buffer containing a zero-valued size field in a recognized box-type, causing an infinite loop in the JXL or HEIF parsers and permanently blocking the Node.js event loop (DoS). Impact is den...

CVE-2025-71329 image-size 2.0.2 Denial of Service via Infinite Loop in JXL/HEIF Parser

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or...

EUVD-2025-210106

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or...

EUVD-2025-210105

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to...

CVE-2025-71330 image-size 2.0.2 Denial of Service via Malformed ICNS Image Parsing

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to...

CVE-2025-71330 image-size 2.0.2 Denial of Service via Malformed ICNS Image Parsing

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to...