Published: June 9, 2026 | Last Modified: June 9, 2026
image-size 1.1.0 before 1.2.1 and 2.0.0 before 2.0.2 contain a denial of service vulnerability in the findBox function when processing specially crafted images with zero-sized boxes. Remote attackers can cause application hang by supplying malicious JXL, HEIF, or JP2 image files with box size zero, triggering infinite loops during image validation.
This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.