CVE-2024-21523
📋 TL;DR
The 'images' npm package is vulnerable to Denial of Service (DoS) attacks when unexpected input types are provided to certain functions. Attackers can trigger process crashes by sending specific integer values (like 0) to the size function, causing segmentation faults. This affects all applications using any version of the 'images' package.
💻 Affected Systems
- node-images npm package
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption through repeated process crashes, leading to extended downtime and potential data loss in processing pipelines.
Likely Case
Intermittent service interruptions when malicious inputs cause individual process crashes, requiring manual restarts.
If Mitigated
Minimal impact with proper input validation and process isolation in place, allowing for graceful degradation.
🎯 Exploit Status
Exploitation requires sending specific integer values (like 0) to vulnerable functions, which is trivial to automate.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None available
Vendor Advisory: No official vendor advisory found
Restart Required: Yes
Instructions:
1. Remove the 'images' package from your project. 2. Use an alternative image processing library like 'sharp' or 'jimp'. 3. Update package.json dependencies. 4. Restart all affected services.
🔧 Temporary Workarounds
Input validation wrapper
allWrap all calls to 'images' functions with strict input validation to reject unexpected types and specific integer values.
Process isolation
allRun image processing in isolated worker processes or containers to limit crash impact to individual requests.
🧯 If You Can't Patch
- Implement strict input validation at application boundaries to filter malicious values before reaching vulnerable functions.
- Deploy rate limiting and monitoring to detect and block repeated crash attempts.
🔍 How to Verify
Check if Vulnerable:
Check if 'images' package is in package.json or node_modules: grep -r 'images' package.json && npm list imagesCheck Version:
npm list images | grep imagesVerify Fix Applied:
Confirm 'images' package is removed: npm list images should show 'empty' and package.json should not contain 'images' dependency.📡 Detection & Monitoring
Log Indicators:
- Process crashes with segmentation fault errors
- Abnormal termination of Node.js processes handling images
- Error logs containing 'assert' failures
Network Indicators:
- Repeated requests with unusual integer parameters to image processing endpoints
- Sudden spikes in 5xx errors from image services
SIEM Query:
source="application.logs" AND ("segmentation fault" OR "assert failed" OR "process crashed") AND "images"🔗 References
- https://gist.github.com/dellalibera/8b4ea6b4db84cba212e6e6e39a6933d1
- https://github.com/zhangyuanwei/node-images/blob/691d49f4e620b4eec9f1c47b1735841d9d8b55f6/src/Image.cc
- https://security.snyk.io/vuln/SNYK-JS-IMAGES-6421826
- https://gist.github.com/dellalibera/8b4ea6b4db84cba212e6e6e39a6933d1
- https://github.com/zhangyuanwei/node-images/blob/691d49f4e620b4eec9f1c47b1735841d9d8b55f6/src/Image.cc
- https://security.snyk.io/vuln/SNYK-JS-IMAGES-6421826
