Infinite Loop DoS in Image Parser Box Handling

CVE-2025-71329 is a denial of service vulnerability in the image-size Node.js library (versions through 2.0.2) that allows remote attackers to permanently block the event loop by submitting maliciously crafted image files. The vulnerability exists in the JXL and HEIF image parsers, which fail to properly validate box-type size fields. When an attacker supplies an image with a box containing a zero-valued size field, the parser enters an infinite loop because the offset never advances, causing the entire Node.js application to hang indefinitely. This affects any web service, API gateway, or backend application that processes user-supplied images without rate limiting or timeout protections, making it a critical availability risk for image-processing pipelines, CDNs, and cloud platforms.

While this CVE currently maps to zero Casky skills under MITRE ATT&CK, practitioners using Casky's Claude AI-powered analysis would detect the attack surface through Resource Exhaustion and Application Hang patterns. The extended reasoning capabilities would identify that this attack falls under the broader Impact category—specifically Resource Exhaustion (T1561 equivalent concepts)—by analyzing parser behavior anomalies: sustained 100% CPU utilization on a single thread, zero network activity post-request, and unresponsive event loops. A practitioner reviewing Casky findings would see indicators such as image file uploads triggering indefinite processing times, memory growth stagnation, and absence of completion callbacks, signaling a hang condition rather than normal processing delays. Detection would also flag suspicious image characteristics: box headers with zero-length fields that violate file format specifications, enabling teams to implement input validation rules before images reach vulnerable parsers.