GHSA-RR89-W3H9-M66J
Vulnerability from github – Published: 2026-05-29 17:52 – Updated: 2026-05-29 17:52
VLAI
Summary
ExifReader is vulnerable to denial of service via unbounded decompression of image metadata
Details
Impact
Versions of ExifReader from 4.20.0 through 4.38.1 do not bound the size of decompressed metadata blocks. When a caller invokes the asynchronous API (e.g. ExifReader.load(file) or ExifReader.load(buffer, {async: true})) on an attacker-supplied image, a small compressed chunk in the file can expand to hundreds of megabytes of memory, consuming heap and CPU until the process slows down or runs out of memory.
The affected paths share a single decompression utility, so the issue is reachable through any compressed metadata block the library handles asynchronously, including:
- PNG
zTXt, compressediTXt, andiCCPchunks (deflate) - JPEG XL Brotli-compressed Exif and XMP blocks
A typical proof of concept produced roughly 1000× expansion (for example, ~32 KB of compressed input expanded to ~32 MB of output, ~130 KB to ~128 MB).
Both the npm package and the dist/ bundle published from this repository (consumed by Bower and other users of the prebuilt artifact) are affected.
Patches
Fixed in 4.39.0. The decompression utility now reads the decompressed stream incrementally and aborts as soon as the running total would exceed a configurable limit. The default cap is 128 MiB per metadata block, which is well above any realistic legitimate value. When a block exceeds the cap, that block is skipped (a warning is emitted via console.warn) and the remaining tags are returned as usual.
The cap is configurable via the new maxDecompressedSize field on the decompress option, in bytes:
const tags = await ExifReader.load(file, {
async: true,
decompress: {
maxDecompressedSize: 16 * 1024 * 1024 // 16 MiB
}
});
The same cap applies to results returned by user-supplied custom brotli/deflate functions.
Workarounds
- If upgrading is not possible, avoid invoking the asynchronous API on untrusted inputs. The synchronous code path skips compressed metadata blocks entirely and is not affected. Alternatively, pre-validate input files by source or size before passing them to ExifReader.
Resources
- Reporter's writeup: https://gist.github.com/yuki-matsuhashi/cad1a45d936062438b4ab24613c34c55
- Patch: https://github.com/mattiasw/ExifReader/commit/5f116128adc19f674902f8bf582bfe7dd0a36375
- README — "Limiting decompressed metadata size": https://github.com/mattiasw/ExifReader/blob/main/README.md#limiting-decompressed-metadata-size
Severity
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "exifreader"
},
"ranges": [
{
"events": [
{
"introduced": "4.20.0"
},
{
"fixed": "4.39.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-8814"
],
"database_specific": {
"cwe_ids": [
"CWE-409"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T17:52:26Z",
"nvd_published_at": "2026-05-19T07:16:30Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nVersions of ExifReader from 4.20.0 through 4.38.1 do not bound the size of decompressed metadata blocks. When a caller invokes the asynchronous API (e.g. `ExifReader.load(file)` or `ExifReader.load(buffer, {async: true})`) on an attacker-supplied image, a small compressed chunk in the file can expand to hundreds of megabytes of memory, consuming heap and CPU until the process slows down or runs out of memory.\n\nThe affected paths share a single decompression utility, so the issue is reachable through any compressed metadata block the library handles asynchronously, including:\n\n- PNG `zTXt`, compressed `iTXt`, and `iCCP` chunks (deflate)\n- JPEG XL Brotli-compressed Exif and XMP blocks\n\nA typical proof of concept produced roughly 1000\u00d7 expansion (for example, ~32 KB of compressed input expanded to ~32 MB of output, ~130 KB to ~128 MB).\n\nBoth the npm package and the `dist/` bundle published from this repository (consumed by Bower and other users of the prebuilt artifact) are affected.\n\n### Patches\n\nFixed in **4.39.0**. The decompression utility now reads the decompressed stream incrementally and aborts as soon as the running total would exceed a configurable limit. The default cap is **128 MiB** per metadata block, which is well above any realistic legitimate value. When a block exceeds the cap, that block is skipped (a warning is emitted via `console.warn`) and the remaining tags are returned as usual.\n\nThe cap is configurable via the new `maxDecompressedSize` field on the `decompress` option, in bytes:\n\n```javascript\nconst tags = await ExifReader.load(file, {\n async: true,\n decompress: {\n maxDecompressedSize: 16 * 1024 * 1024 // 16 MiB\n }\n});\n```\n\nThe same cap applies to results returned by user-supplied custom `brotli`/`deflate` functions.\n\n### Workarounds\n\n- If upgrading is not possible, avoid invoking the asynchronous API on untrusted inputs. The synchronous code path skips compressed metadata blocks entirely and is not affected. Alternatively, pre-validate input files by source or size before passing them to ExifReader.\n\n### Resources\n\n- Reporter\u0027s writeup: https://gist.github.com/yuki-matsuhashi/cad1a45d936062438b4ab24613c34c55\n- Patch: https://github.com/mattiasw/ExifReader/commit/5f116128adc19f674902f8bf582bfe7dd0a36375\n- README \u2014 \"Limiting decompressed metadata size\": https://github.com/mattiasw/ExifReader/blob/main/README.md#limiting-decompressed-metadata-size",
"id": "GHSA-rr89-w3h9-m66j",
"modified": "2026-05-29T17:52:26Z",
"published": "2026-05-29T17:52:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mattiasw/ExifReader/security/advisories/GHSA-rr89-w3h9-m66j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8814"
},
{
"type": "WEB",
"url": "https://github.com/mattiasw/ExifReader/commit/5f116128adc19f674902f8bf582bfe7dd0a36375"
},
{
"type": "WEB",
"url": "https://gist.github.com/yuki-matsuhashi/cad1a45d936062438b4ab24613c34c55"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattiasw/ExifReader"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-EXIFREADER-16689340"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "ExifReader is vulnerable to denial of service via unbounded decompression of image metadata"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…