← All CVEs

CVE-2025-71319

HIGH 8.7 PoC AVAILABLE

Published 2026-06-09 · Last modified 2026-07-01

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or HEIF image parsers by providing a crafted image containing a box with a size of zero, causing the offset to never advance and permanently hanging the application.

EXPLOIT AVAILABLE

Public exploit or PoC code exists. Modeled probability is still low, but the barrier to attack is reduced — watch closely.

Exploitation likelihood

0.6%chance of exploitation in 30 days · 46th percentile

○ In CISA KEV ● Public exploit / PoC

Impact if exploited

8.7CVSS 4.0 · HIGH

  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityHigh

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: No account or privileges required
  • User interaction: No user interaction needed
  • Complexity: No special conditions — reliably repeatable
  • Requirements: No special attack requirements

✓ lowers the bar for an attacker · ⚠ raises it

Proof of concept & exploit code

Listed for defensive triage and patch prioritization.

Affected

Vendors Image Size Red Hat

Products Image Size Red Hat Discovery 2 Gatekeeper 3 Red Hat Build Of Podman Desktop Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Fuse 7 Red Hat Openshift Dev Spaces

Weakness (CWE)

  • CWE-835

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Sources: NVD · CVE.org · EPSS