Open-Source Security Intelligence

Know every vulnerability
before it knows you.

DevGuard continuously monitors your dependencies and alerts you when CVEs like this one affect your stack — with real-time threat intelligence built for developers.

Checkout DevGuard View on GitHub

GHSA-rr89-w3h9-m66j

MediumCVSS 5.3 / 10

Published May 29, 2026·Last modified May 29, 2026

Affected Components(1)

exifreader

4.20.0 – 4.39.0

Description

Impact

Versions of ExifReader from 4.20.0 through 4.38.1 do not bound the size of decompressed metadata blocks. When a caller invokes the asynchronous API (e.g. ExifReader.load(file) or ExifReader.load(buffer, {async: true})) on an attacker-supplied image, a small compressed chunk in the file can expand to hundreds of megabytes of memory, consuming heap and CPU until the process slows down or runs out of memory.

The affected paths share a single decompression utility, so the issue is reachable through any compressed metadata block the library handles asynchronously, including:

PNG zTXt, compressed iTXt, and iCCP chunks (deflate)
JPEG XL Brotli-compressed Exif and XMP blocks

A typical proof of concept produced roughly 1000× expansion (for example, ~32 KB of compressed input expanded to ~32 MB of output, ~130 KB to ~128 MB).

Both the npm package and the dist/ bundle published from this repository (consumed by Bower and other users of the prebuilt artifact) are affected.

Patches

Fixed in 4.39.0. The decompression utility now reads the decompressed stream incrementally and aborts as soon as the running total would exceed a configurable limit. The default cap is 128 MiB per metadata block, which is well above any realistic legitimate value. When a block exceeds the cap, that block is skipped (a warning is emitted via console.warn) and the remaining tags are returned as usual.

The cap is configurable via the new maxDecompressedSize field on the decompress option, in bytes:

const tags = await ExifReader.load(file, {
    async: true,
    decompress: {
        maxDecompressedSize: 16 * 1024 * 1024 // 16 MiB
    }
});

The same cap applies to results returned by user-supplied custom brotli/deflate functions.

Workarounds

If upgrading is not possible, avoid invoking the asynchronous API on untrusted inputs. The synchronous code path skips compressed metadata blocks entirely and is not affected. Alternatively, pre-validate input files by source or size before passing them to ExifReader.

Resources

Reporter's writeup: https://gist.github.com/yuki-matsuhashi/cad1a45d936062438b4ab24613c34c55
Patch: https://github.com/mattiasw/ExifReader/commit/5f116128adc19f674902f8bf582bfe7dd0a36375
README — "Limiting decompressed metadata size": https://github.com/mattiasw/ExifReader/blob/main/README.md#limiting-decompressed-metadata-size

Risk Scores

Base Score

5.3

The vulnerability can be exploited over the network without needing physical access. It is easy for an attacker to exploit this vulnerability. An attacker does not need any special privileges or access rights. No user interaction is needed for the attacker to exploit this vulnerability. The impact is confined to the system where the vulnerability exists. There is a low impact on the availability of the system.

Threat Intelligence

4.9

Exploitation attempts have been detected. Elevated vigilance and prompt remediation are advised.

EPSS

N/A

Probability that this vulnerability will be exploited in the wild within the next 30 days.

Exploit

Not available

We did not find any exploit available. Neither in GitHub repositories nor in the Exploit-Database.

Browse More

Medium severity

Scan your project

Continuously monitor your dependencies and get alerted when vulnerabilities like this one affect your stack.