Affected versions of this package are vulnerable to Infinite loop in the extractPartialStreams() and corresponding extraction functions for HEIF, JP2, and JXL. An attacker supplying an image whose requested box declares a size of zero can hang the parser indefinitely.
Note: This is a bypass of the fix for the vulnerability described in CVE-2025-71319.
Affected versions of this package are vulnerable to Infinite loop in icns.js. An ICNS file with an icon entry whose declared length is zero can hang the parser indefinitely.