CVE-2020-8175: Uncontrolled resource consumption in jpeg-js
5.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.70629%
CWE
Published
7/27/2020
Updated
9/8/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
jpeg-js | npm | < 0.4.0 | 0.4.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from missing resource controls in two key areas: 1) The parse()
function didn't validate()
image dimensions against a maximum resolution limit (maxResolutionInMP), allowing giant image processing. 2) Memory allocations for decoding structures (blocks, DCT tables, Huffman tables) lacked tracking/limiting mechanisms (via requestMemoryAllocation
). The commit 135705b explicitly added these safeguards in the parse()
function and allocation points, confirming these were the vulnerable areas pre-0.4.0.