github · yuki-matsuhashi · Jun 5, 2026
diff --git a/advisories/github-reviewed/2026/05/GHSA-h64w-w9pr-82m4/GHSA-h64w-w9pr-82m4.json b/advisories/github-reviewed/2026/05/GHSA-h64w-w9pr-82m4/GHSA-h64w-w9pr-82m4.json
@@ -7,7 +7,7 @@
     "CVE-2026-8813"
   ],
   "summary": "ExifReader is vulnerable to denial of service via crafted ICC `mluc` tag",
-  "details": "### Impact\n\nWhen parsing an image with an embedded ICC profile that contains a crafted `multiLocalizedUnicodeType` (`mluc`) tag, ExifReader can be made to allocate memory proportional to attacker-controlled fields in the tag rather than to\nthe actual size of the input. Processing such an image causes excessive memory consumption and can terminate the host process (out-of-memory).\n\nAny application that calls `ExifReader.load()` on untrusted images, for example, user uploads in a web service, is affected. ICC profiles are carried in JPEG, TIFF, PNG, HEIC, AVIF, JPEG XL, and WebP, so the issue is reachable from any of those formats.\n\n### Patches\n\nFixed in `exifreader@4.39.0`. Upgrade with:\n\n    npm install exifreader@latest\n\nBower users consume the bundled `dist/` files from this repository, and the same fix is committed there.\n\n### Workarounds\n\nIf upgrading is not immediately possible, configure a [custom build](https://github.com/mattiasw/ExifReader#configure-a-custom-build) that excludes the `icc` module so that ICC parsing (and therefore this code path) is skipped entirely.\n\n### Resources\n\n- Reporter's writeup: https://gist.github.com/yuki-matsuhashi/3243ea38e5fbf8cfe19b624f04c9f4b4\n- Patch: https://github.com/mattiasw/ExifReader/commit/c9d88b67e127b2dcc7b46e328df468257fb2dc30",
+  "details": "### Impact\n\nWhen parsing an image with an embedded ICC profile that contains a crafted `multiLocalizedUnicodeType` (`mluc`) tag, ExifReader can be made to allocate memory proportional to attacker-controlled fields in the tag rather than to\nthe actual size of the input. Processing such an image causes excessive memory consumption and can terminate the host process (out-of-memory).\n\nAny application that calls `ExifReader.load()` on untrusted images, for example, user uploads in a web service, is affected. ICC profiles are carried in JPEG, TIFF, PNG, HEIC, AVIF, JPEG XL, and WebP, so the issue is reachable from any of those formats.\n\n### Patches\n\nFixed in `exifreader@4.39.0`. Upgrade with:\n\n    npm install exifreader@latest\n\nBower users consume the bundled `dist/` files from this repository, and the same fix is committed there.\n\n### Workarounds\n\nIf upgrading is not immediately possible, configure a [custom build](https://github.com/mattiasw/ExifReader#configure-a-custom-build) that excludes the `icc` module so that ICC parsing (and therefore this code path) is skipped entirely.\n\n### Resources\n\n- Patch: https://github.com/mattiasw/ExifReader/commit/c9d88b67e127b2dcc7b46e328df468257fb2dc30",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -52,10 +52,6 @@
       "type": "WEB",
       "url": "https://github.com/mattiasw/ExifReader/commit/c9d88b67e127b2dcc7b46e328df468257fb2dc30"
     },
-    {
-      "type": "WEB",
-      "url": "https://gist.github.com/yuki-matsuhashi/3243ea38e5fbf8cfe19b624f04c9f4b4"
-    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/mattiasw/ExifReader"
@@ -74,4 +70,4 @@
     "github_reviewed_at": "2026-05-29T17:58:37Z",
     "nvd_published_at": "2026-05-19T07:16:30Z"
   }
-}
+}