exifreader is vulnerable to Denial of Service (DoS)
53
Medium Risk
ExifReader parses ICC profile mluc (multiLocalizedUnicodeType) tags in src/icc-tags.js by iterating over an attacker-declared record count and appending one entry per record to an in-memory array. When a crafted ICC profile declares a very large numRecords together with a valid record size and a sufficiently large payload, the parser processes and allocates an object per record with no upper bound on the record count. Parsing such an image consumes excessive CPU and memory and can exhaust the host process. The fix caps the mluc record count and returns the already parsed tags once the cap is exceeded.
You are affected if you are using a version that falls within the vulnerable range.
exifreader is vulnerable to Denial of Service (DoS) in versions 4.39.0 - 4.40.4.
Upgrade the exifreader library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant