From 38e8fab1ed359663429352b3b8165a92b2f8d6de Mon Sep 17 00:00:00 2001 From: Yuki Matsuhashi Date: Fri, 5 Jun 2026 22:37:55 +0900 Subject: [PATCH] Improve GHSA-h64w-w9pr-82m4 --- .../2026/05/GHSA-h64w-w9pr-82m4/GHSA-h64w-w9pr-82m4.json | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/advisories/github-reviewed/2026/05/GHSA-h64w-w9pr-82m4/GHSA-h64w-w9pr-82m4.json b/advisories/github-reviewed/2026/05/GHSA-h64w-w9pr-82m4/GHSA-h64w-w9pr-82m4.json index 5332e375d5f0c..456137cb522c9 100644 --- a/advisories/github-reviewed/2026/05/GHSA-h64w-w9pr-82m4/GHSA-h64w-w9pr-82m4.json +++ b/advisories/github-reviewed/2026/05/GHSA-h64w-w9pr-82m4/GHSA-h64w-w9pr-82m4.json @@ -7,7 +7,7 @@ "CVE-2026-8813" ], "summary": "ExifReader is vulnerable to denial of service via crafted ICC `mluc` tag", - "details": "### Impact\n\nWhen parsing an image with an embedded ICC profile that contains a crafted `multiLocalizedUnicodeType` (`mluc`) tag, ExifReader can be made to allocate memory proportional to attacker-controlled fields in the tag rather than to\nthe actual size of the input. Processing such an image causes excessive memory consumption and can terminate the host process (out-of-memory).\n\nAny application that calls `ExifReader.load()` on untrusted images, for example, user uploads in a web service, is affected. ICC profiles are carried in JPEG, TIFF, PNG, HEIC, AVIF, JPEG XL, and WebP, so the issue is reachable from any of those formats.\n\n### Patches\n\nFixed in `exifreader@4.39.0`. Upgrade with:\n\n npm install exifreader@latest\n\nBower users consume the bundled `dist/` files from this repository, and the same fix is committed there.\n\n### Workarounds\n\nIf upgrading is not immediately possible, configure a [custom build](https://github.com/mattiasw/ExifReader#configure-a-custom-build) that excludes the `icc` module so that ICC parsing (and therefore this code path) is skipped entirely.\n\n### Resources\n\n- Reporter's writeup: https://gist.github.com/yuki-matsuhashi/3243ea38e5fbf8cfe19b624f04c9f4b4\n- Patch: https://github.com/mattiasw/ExifReader/commit/c9d88b67e127b2dcc7b46e328df468257fb2dc30", + "details": "### Impact\n\nWhen parsing an image with an embedded ICC profile that contains a crafted `multiLocalizedUnicodeType` (`mluc`) tag, ExifReader can be made to allocate memory proportional to attacker-controlled fields in the tag rather than to\nthe actual size of the input. Processing such an image causes excessive memory consumption and can terminate the host process (out-of-memory).\n\nAny application that calls `ExifReader.load()` on untrusted images, for example, user uploads in a web service, is affected. ICC profiles are carried in JPEG, TIFF, PNG, HEIC, AVIF, JPEG XL, and WebP, so the issue is reachable from any of those formats.\n\n### Patches\n\nFixed in `exifreader@4.39.0`. Upgrade with:\n\n npm install exifreader@latest\n\nBower users consume the bundled `dist/` files from this repository, and the same fix is committed there.\n\n### Workarounds\n\nIf upgrading is not immediately possible, configure a [custom build](https://github.com/mattiasw/ExifReader#configure-a-custom-build) that excludes the `icc` module so that ICC parsing (and therefore this code path) is skipped entirely.\n\n### Resources\n\n- Patch: https://github.com/mattiasw/ExifReader/commit/c9d88b67e127b2dcc7b46e328df468257fb2dc30", "severity": [ { "type": "CVSS_V3", @@ -52,10 +52,6 @@ "type": "WEB", "url": "https://github.com/mattiasw/ExifReader/commit/c9d88b67e127b2dcc7b46e328df468257fb2dc30" }, - { - "type": "WEB", - "url": "https://gist.github.com/yuki-matsuhashi/3243ea38e5fbf8cfe19b624f04c9f4b4" - }, { "type": "PACKAGE", "url": "https://github.com/mattiasw/ExifReader" @@ -74,4 +70,4 @@ "github_reviewed_at": "2026-05-29T17:58:37Z", "nvd_published_at": "2026-05-19T07:16:30Z" } -} \ No newline at end of file +}