image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to trigger an infinite loop in the ICNS parser, as the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2025-71330 is a denial of service vulnerability in the image-size Node.js library (versions through 2.0.2) that allows remote attackers to permanently disable application availability by submitting a malicious ICNS image file. The vulnerability stems from a parsing logic flaw where a zero-valued entry length field in an ICNS buffer causes an infinite loop—the parser's offset variable never increments, leaving the while loop condition perpetually true. This impacts any Node.js application using image-size to process untrusted image inputs, including web services, file upload handlers, and image processing pipelines. With a CVSS score of 7.5 (high), a single crafted ICNS image can freeze the entire event loop, rendering the application unresponsive and unavailable to legitimate users.
While this CVE does not map to specific MITRE ATT&CK techniques, Casky's AI-driven analysis would detect the attack pattern as a resource exhaustion denial of service through input validation bypass. Practitioners using Casky would see findings highlighting unsafe parsing of untrusted image file formats, unvalidated loop conditions in binary parsers, and missing bounds checking on file structure fields. The platform's extended reasoning would flag that attackers need only network access to submit a malicious ICNS file, identifying this as a low-barrier attack vector. Casky would recommend defensive measures including input sanitization, timeouts on parser operations, process isolation for image handling, and upgrading image-size to version 3.0.0 or later where this infinite loop has been patched.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2025-71330. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation