Vulnerability Database

359,603

Total vulnerabilities in the database

CVE-2026-53496 — exifreader

Uncaught Exception

Summary

ExifReader 4.40.0 can throw an uncaught RangeError: Offset is outside the bounds of the DataView while parsing crafted HEIC/AVIF files. The file only needs a valid leading ftyp box with a HEIC/AVIF major brand followed by a malformed ISO-BMFF box, such as an empty 8-byte free box or a truncated extended-size box.

This is reachable through the public ExifReader.load() API for in-memory buffers and through the async file/URL loaders when an application parses attacker-supplied images. In applications that do not wrap every parse in a defensive try/catch, a single uploaded or fetched image can abort the request/worker and cause a denial of service.

Credit requested: Yaohui Wang.

Affected version tested

  • npm package: exifreader
  • Version: 4.40.0
  • Repository commit tested: 8cb0261a26b7d986955fe0a6780f076dcb7902e7

Root cause

The ISO-BMFF parser assumes that every top-level box with at least an 8-byte header also has enough bytes for the fields required by its parsed form. In src/image-header-iso-bmff.js:

  • findMetaBox() calls parseBox(dataView, offset) while only checking that offset + 8 <= dataView.byteLength.
  • parseBox() calls getBoxLength() and then unconditionally reads fields such as the full-box version byte for meta/iloc/iinf/idat boxes.
  • getBoxLength() handles boxLength === 1 by calling hasEmptyHighBits(dataView, offset), which reads dataView.getUint32(offset + 8) without first checking that the 64-bit extended size field is present.

As a result, syntactically small or truncated boxes after a valid HEIC/AVIF ftyp box escape the format-detection catch blocks and throw from the main parsing path.

Reproduction

Run this from the repository root against the committed dist/exif-reader.js bundle:

const ExifReader = require('./dist/exif-reader.js'); function u32be(n) { return [(n >>> 24) & 255, (n >>> 16) & 255, (n >>> 8) & 255, n & 255]; } function ascii(s) { return Array.from(Buffer.from(s, 'ascii')); } function box(type, content = []) { return [...u32be(8 + content.length), ...ascii(type), ...content]; } for (const brand of ['heic', 'avif']) { for (const badBox of ['free', 'abcd']) { const bytes = Uint8Array.from([ ...box('ftyp', ascii(brand)), ...box(badBox), // 8-byte box header with no content ]); try { ExifReader.load(bytes.buffer); console.log(`${brand}/${badBox}: no throw`); } catch (e) { console.log(`${brand}/${badBox}: ${e.name}: ${e.message}`); console.log(String(e.stack).split('\n').slice(0, 6).join('\n')); } } }

Observed output on Node v23.11.0 with ExifReader 4.40.0:

heic/free: RangeError: Offset is outside the bounds of the DataView RangeError: Offset is outside the bounds of the DataView at DataView.prototype.getUint8 (<anonymous>) at parseBox (.../dist/exif-reader.js:1:16513) at findMetaBox (.../dist/exif-reader.js:1:19032) at findOffsets (.../dist/exif-reader.js:1:19101) heic/abcd: RangeError: Offset is outside the bounds of the DataView avif/free: RangeError: Offset is outside the bounds of the DataView avif/abcd: RangeError: Offset is outside the bounds of the DataView

A second variant triggers the extended-size path:

const truncatedExtendedBox = [...u32be(1), ...ascii('free')]; const heic = Uint8Array.from([...box('ftyp', ascii('heic')), ...truncatedExtendedBox]); ExifReader.load(heic.buffer);

That throws from hasEmptyHighBits() / getBoxLength() because the extended-size high/low fields are not present.

Expected behavior

Malformed/truncated metadata boxes should be handled like other malformed metadata in the project: return only the successfully parsed file type/metadata, return no app markers, or throw a controlled project-specific error. A safe JavaScript bounds error should not escape from the parser for an attacker-controlled image container.

Security impact

This is a denial-of-service issue for services that parse user-provided HEIC/AVIF files with ExifReader. A minimal attacker-controlled image buffer can cause an unhandled exception in the parser and abort the surrounding request/worker if the embedding application does not catch every parse error.

Suggested severity: Medium. Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.

Suggested fix

Add explicit bounds checks before every DataView read in the ISO-BMFF box parser, especially:

  • before reading the 64-bit extended size fields in getBoxLength();
  • before reading the full-box version byte in parseBox();
  • before descending into parseSubBoxes() when a declared box length exceeds available bytes;
  • ensure findMetaBox() breaks on boxes whose declared length is invalid or not fully present.

A regression test should cover ftyp/heic and ftyp/avif followed by an 8-byte empty free/unknown box and by a truncated extended-size box.

CVSS v3:

  • Severity: Medium
  • Score: 5.3
  • AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Frequently Asked Questions

A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.

CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.

A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.

Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.

Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.

SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.