CVE-2025-71329

Name of the Vulnerable Software and Affected Versions image-size versions prior to 2.0.3

Description A denial of service issue exists where remote attackers can permanently block the Node.js event loop. By supplying a specially crafted image buffer containing a box-type with a zero-valued size field, an infinite loop is triggered within the JXL or HEIF image parsers. This causes the offset to never advance, resulting in the application hanging permanently.

Recommendations Update to version 2.0.3 or later.