GHSA-rxmq-m78w-7wmc

Suggest an improvement
Source
https://github.com/advisories/GHSA-rxmq-m78w-7wmc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-rxmq-m78w-7wmc/GHSA-rxmq-m78w-7wmc.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-rxmq-m78w-7wmc
Aliases
Published
2025-07-30T13:23:01Z
Modified
2025-07-31T11:34:24.295122Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
SixLabors ImageSharp Has Infinite Loop in GIF Decoder When Skipping Malformed Comment Extension Blocks
Details

Impact

A specially crafted GIF file containing a malformed comment extension block (with a missing block terminator) can cause the ImageSharp GIF decoder to enter an infinite loop while attempting to skip the block. This leads to a denial of service. Applications processing untrusted GIF input should upgrade to a patched version.

Patches

The problem has been patched. All users are advised to upgrade to v3.1.11 or v2.1.11.

Workarounds

None.

Database specific
{
    "github_reviewed": true,
    "severity": "MODERATE",
    "github_reviewed_at": "2025-07-30T13:23:01Z",
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ],
    "nvd_published_at": "2025-07-30T20:15:37Z"
}
References

Affected packages

NuGet / SixLabors.ImageSharp

Package

Name
SixLabors.ImageSharp
View open source insights on deps.dev
Purl
pkg:nuget/SixLabors.ImageSharp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.11

Affected versions

1.*

1.0.0-beta0001
1.0.0-beta0002
1.0.0-beta0003
1.0.0-beta0004
1.0.0-beta0005
1.0.0-beta0006
1.0.0-beta0007
1.0.0-rc0001
1.0.0-rc0002
1.0.0-rc0003
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4

2.*

2.0.0
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10

NuGet / SixLabors.ImageSharp

Package

Name
SixLabors.ImageSharp
View open source insights on deps.dev
Purl
pkg:nuget/SixLabors.ImageSharp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.1.11

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10