What is GHSA-rr89-w3h9-m66j?

GHSA-rr89-w3h9-m66j is a security advisory published by GitHub Security Advisories with Medium severity. ExifReader is vulnerable to denial of service via unbounded decompression of image metadata

Which CVE IDs does GHSA-rr89-w3h9-m66j cover?

GHSA-rr89-w3h9-m66j covers the following CVE IDs: CVE-2026-8814. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-rr89-w3h9-m66j?

GHSA-rr89-w3h9-m66j has a CVSS v3 base score of 5.3, published by GitHub Security Advisories.

Which products are affected by GHSA-rr89-w3h9-m66j?

GHSA-rr89-w3h9-m66j affects 1 product, including: npm/exifreader:\u003e= 4.20.0, \u003c 4.39.0.

GHSA-rr89-w3h9-m66jMediumCVSS 5.3

ExifReader is vulnerable to denial of service via unbounded decompression of image metadata

Vendor

GitHub Security Advisories

Published

May 29, 2026

Last Modified

May 29, 2026

🔗 CVE IDs covered (1)

CVE-2026-8814 →

📋 Description

Impact

Versions of ExifReader from 4.20.0 through 4.38.1 do not bound the size of decompressed metadata blocks. When a caller invokes the asynchronous API (e.g. ExifReader.load(file) or ExifReader.load(buffer, {async: true})) on an attacker-supplied image, a small compressed chunk in the file can expand to hundreds of megabytes of memory, consuming heap and CPU until the process slows down or runs out of memory.

The affected paths share a single decompression utility, so the issue is reachable through any compressed metadata block the library handles asynchronously, including:

PNG zTXt, compressed iTXt, and iCCP chunks (deflate)
JPEG XL Brotli-compressed Exif and XMP blocks

A typical proof of concept produced roughly 1000× expansion (for example, ~32 KB of compressed input expanded to ~32 MB of output, ~130 KB to ~128 MB).

Both the npm package and the dist/ bundle published from this repository (consumed by Bower and other users of the prebuilt artifact) are affected.

Patches

Fixed in 4.39.0. The decompression utility now reads the decompressed stream incrementally and aborts as soon as the running total would exceed a configurable limit. The default cap is 128 MiB per metadata block, which is well above any realistic legitimate value. When a block exceeds the cap, that block is skipped (a warning is emitted via console.warn) and the remaining tags are returned as usual.

The cap is configurable via the new maxDecompressedSize field on the decompress option, in bytes:

const tags = await ExifReader.load(file, {
    async: true,
    decompress: {
        maxDecompressedSize: 16 * 1024 * 1024 // 16 MiB
    }
});

The same cap applies to results returned by user-supplied custom brotli/deflate functions.

Workarounds

If upgrading is not possible, avoid invoking the asynchronous API on untrusted inputs. The synchronous code path skips compressed metadata blocks entirely and is not affected. Alternatively, pre-validate input files by source or size before passing them to ExifReader.

Resources

Reporter's writeup: https://gist.github.com/yuki-matsuhashi/cad1a45d936062438b4ab24613c34c55
Patch: https://github.com/mattiasw/ExifReader/commit/5f116128adc19f674902f8bf582bfe7dd0a36375
README — "Limiting decompressed metadata size": https://github.com/mattiasw/ExifReader/blob/main/README.md#limiting-decompressed-metadata-size

🎯 Affected products1

npm/exifreader:>= 4.20.0, < 4.39.0