Versions of the package exifreader before 4.39.0 are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) due to…
The exifreader package has a vulnerability that allows an attacker to craft a PNG file with a highly compressed zTXt chunk, causing excessive memory growth and potentially leading to a denial-of-service attack. This issue affects applications that parse attacker-supplied images. Developers should be aware of this issue when working with exifreader.
Versions of the package exifreader before 4.39.0 are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) due to decompressing PNG zTXt metadata without enforcing a built-in maximum decompressed output size. When asynchronous parsing is enabled, a crafted PNG file containing a highly compressed zTXt chunk can cause ExifReader to materialize a disproportionately large Comment value in memory.
Developers using the exifreader package are at medium risk of a denial-of-service attack, which can cause memory exhaustion and system crashes, especially when parsing attacker-supplied images.
Monitor & Review
Low severity — keep this CVE on your radar and patch during routine maintenance.
What should I do?
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
0
Affected Products
3
References
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Exploitability
Impact