VDB
KO
HIGH 7.5

GHSA-h64w-w9pr-82m4

ExifReader is vulnerable to denial of service via crafted ICC `mluc` tag

Details

### Impact

When parsing an image with an embedded ICC profile that contains a crafted `multiLocalizedUnicodeType` (`mluc`) tag, ExifReader can be made to allocate memory proportional to attacker-controlled fields in the tag rather than to the actual size of the input. Processing such an image causes excessive memory consumption and can terminate the host process (out-of-memory).

Any application that calls `ExifReader.load()` on untrusted images, for example, user uploads in a web service, is affected. ICC profiles are carried in JPEG, TIFF, PNG, HEIC, AVIF, JPEG XL, and WebP, so the issue is reachable from any of those formats.

### Patches

Fixed in `exifreader@4.39.0`. Upgrade with:

npm install exifreader@latest

Bower users consume the bundled `dist/` files from this repository, and the same fix is committed there.

### Workarounds

If upgrading is not immediately possible, configure a [custom build](https://github.com/mattiasw/ExifReader#configure-a-custom-build) that excludes the `icc` module so that ICC parsing (and therefore this code path) is skipped entirely.

### Resources

- Patch: https://github.com/mattiasw/ExifReader/commit/c9d88b67e127b2dcc7b46e328df468257fb2dc30

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / exifreader
Introduced in: 2.10.0 Fixed in: 4.39.0
Fix npm install exifreader@4.39.0

References