CVE-2025-71319
HIGH 8.7 PoC AVAILABLEimage-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or HEIF image parsers by providing a crafted image containing a box with a size of zero, causing the offset to never advance and permanently hanging the application.
Public exploit or PoC code exists. Modeled probability is still low, but the barrier to attack is reduced — watch closely.
Exploitation likelihood
0.6%chance of exploitation in 30 days · 46th percentile
Impact if exploited
8.7CVSS 4.0 · HIGH
- ConfidentialityNone
- IntegrityNone
- AvailabilityHigh
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ✓Privileges: No account or privileges required
- ✓User interaction: No user interaction needed
- ✓Complexity: No special conditions — reliably repeatable
- ✓Requirements: No special attack requirements
✓ lowers the bar for an attacker · ⚠ raises it
Proof of concept & exploit code
Listed for defensive triage and patch prioritization.
Affected
Vendors Image Size Red Hat
Products Image Size Red Hat Discovery 2 Gatekeeper 3 Red Hat Build Of Podman Desktop Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Fuse 7 Red Hat Openshift Dev Spaces
Weakness (CWE)
- CWE-835
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N