fix(deps): update dependency exifreader to v4.39.0 [security]#17510
Open
renovate[bot] wants to merge 1 commit into
Open
fix(deps): update dependency exifreader to v4.39.0 [security]#17510renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## develop #17510 +/- ##
===========================================
- Coverage 24.92% 15.22% -9.71%
===========================================
Files 1160 247 -913
Lines 39555 12349 -27206
Branches 11016 4196 -6820
===========================================
- Hits 9861 1880 -7981
+ Misses 23796 8196 -15600
+ Partials 5898 2273 -3625 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.38.1→4.39.0ExifReader is vulnerable to denial of service via unbounded decompression of image metadata
CVE-2026-8814 / GHSA-rr89-w3h9-m66j
More information
Details
Impact
Versions of ExifReader from 4.20.0 through 4.38.1 do not bound the size of decompressed metadata blocks. When a caller invokes the asynchronous API (e.g.
ExifReader.load(file)orExifReader.load(buffer, {async: true})) on an attacker-supplied image, a small compressed chunk in the file can expand to hundreds of megabytes of memory, consuming heap and CPU until the process slows down or runs out of memory.The affected paths share a single decompression utility, so the issue is reachable through any compressed metadata block the library handles asynchronously, including:
zTXt, compressediTXt, andiCCPchunks (deflate)A typical proof of concept produced roughly 1000× expansion (for example, ~32 KB of compressed input expanded to ~32 MB of output, ~130 KB to ~128 MB).
Both the npm package and the
dist/bundle published from this repository (consumed by Bower and other users of the prebuilt artifact) are affected.Patches
Fixed in 4.39.0. The decompression utility now reads the decompressed stream incrementally and aborts as soon as the running total would exceed a configurable limit. The default cap is 128 MiB per metadata block, which is well above any realistic legitimate value. When a block exceeds the cap, that block is skipped (a warning is emitted via
console.warn) and the remaining tags are returned as usual.The cap is configurable via the new
maxDecompressedSizefield on thedecompressoption, in bytes:The same cap applies to results returned by user-supplied custom
brotli/deflatefunctions.Workarounds
Resources
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:PReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
ExifReader is vulnerable to denial of service via crafted ICC
mluctagCVE-2026-8813 / GHSA-h64w-w9pr-82m4
More information
Details
Impact
When parsing an image with an embedded ICC profile that contains a crafted
multiLocalizedUnicodeType(mluc) tag, ExifReader can be made to allocate memory proportional to attacker-controlled fields in the tag rather than tothe actual size of the input. Processing such an image causes excessive memory consumption and can terminate the host process (out-of-memory).
Any application that calls
ExifReader.load()on untrusted images, for example, user uploads in a web service, is affected. ICC profiles are carried in JPEG, TIFF, PNG, HEIC, AVIF, JPEG XL, and WebP, so the issue is reachable from any of those formats.Patches
Fixed in
exifreader@4.39.0. Upgrade with:Bower users consume the bundled
dist/files from this repository, and the same fix is committed there.Workarounds
If upgrading is not immediately possible, configure a custom build that excludes the
iccmodule so that ICC parsing (and therefore this code path) is skipped entirely.Resources
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:PReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
mattiasw/ExifReader (exifreader)
v4.39.0Compare Source
Added
decompress.maxDecompressedSizeoption to bound the size of any singledecompressed metadata block (default 128 MiB). Blocks that would exceed the
limit are skipped with a
console.warn; remaining tags are returned as usual.Fixed
Security
mluctags(CVE-2026-8813,
GHSA-h64w-w9pr-82m4).
Reported by Yuki Matsuhashi (@yuki-matsuhashi).
(CVE-2026-8814,
GHSA-rr89-w3h9-m66j).
Reported by Yuki Matsuhashi (@yuki-matsuhashi).
Configuration
📅 Schedule: (in timezone Asia/Tokyo)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.