GHSA-m5qc-5hw7-8vg7: 
JavaScript vulnerability analysis and mitigation

The image-size npm package is affected by a Denial of Service vulnerability (GHSA-m5qc-5hw7-8vg7) when processing specially crafted images. The vulnerability affects versions >= 1.1.0, < 1.2.1 and >= 2.0.0, < 2.0.2, with patched versions being 1.2.1 and 2.0.2. The issue was discovered and published on April 2, 2025 (GitHub Advisory).

The vulnerability occurs due to an infinite loop in the findBox function when processing certain images with a box size of 0. The issue manifests when processing JXL, HEIF, and JP2 image formats. When the first bytes of the input don't match any bytes in firstBytes, the package attempts to validate the image using other handlers. The findBox function enters an infinite loop because when box.size is 0, the offset variable is not updated, causing the loop to continue indefinitely (GitHub Advisory).

The vulnerability results in a Denial of Service condition when processing specially crafted images. The CVSS score is 7.5 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating high impact on system availability (GitHub Advisory).

The vulnerability has been patched in versions 1.2.1 and 2.0.2. The fix ensures that the offset always increases by modifying the findBox function to advance by at least 8 bytes (the size of the box header) when box.size is 0 (GitHub Commit).