-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| SixLabors.ImageSharp | nuget | < 2.1.11 | 2.1.11 |
| SixLabors.ImageSharp | nuget | >= 3.0.0, < 3.1.11 | 3.1.11 |
Miggo AIRoot Cause AnalysisThe vulnerability described is a denial-of-service caused by an infinite loop in the GIF decoder of SixLabors.ImageSharp when processing a malformed GIF file. The advisory points to two commits that patch this issue. Analysis of these commits reveals that the changes are concentrated in the ReadComments method within the GifDecoderCore.cs file. The patch adds a check to handle cases where the end of the stream is reached unexpectedly while reading a comment block. This prevents the infinite loop that occurs when the code tries to skip a malformed comment block. Therefore, the SixLabors.ImageSharp.Formats.Gif.GifDecoderCore.ReadComments function is identified as the vulnerable function. During exploitation, a call to this function with a malicious GIF file would trigger the infinite loop, making it a key indicator in a runtime profile.
Ongoing coverage of React2Shell