Npm · Image-Size · CVE-2025-71330
**Name of the Vulnerable Software and Affected Versions**
image-size versions prior to 2.0.3
**Description**
A denial of service issue exists where remote attackers can permanently block the Node.js event loop by providing a specially crafted ICNS image buffer. By supplying an ICNS buffer with valid magic bytes and a zero-valued entry length field, an infinite loop is triggered in the ICNS parser because the offset is not incremented when the entry length is 0, causing the while loop condition to remain true indefinitely.
**Recommendations**
Update to version 2.0.3 or later.