Headline
GHSA-rxmq-m78w-7wmc: SixLabors ImageSharp Has Infinite Loop in GIF Decoder When Skipping Malformed Comment Extension Blocks
Impact
A specially crafted GIF file containing a malformed comment extension block (with a missing block terminator) can cause the ImageSharp GIF decoder to enter an infinite loop while attempting to skip the block. This leads to a denial of service. Applications processing untrusted GIF input should upgrade to a patched version.
Patches
The problem has been patched. All users are advised to upgrade to v3.1.11 or v2.1.11.
Workarounds
None.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-rxmq-m78w-7wmc
SixLabors ImageSharp Has Infinite Loop in GIF Decoder When Skipping Malformed Comment Extension Blocks
Moderate severity GitHub Reviewed Published Jul 30, 2025 in SixLabors/ImageSharp • Updated Jul 30, 2025
Package
nuget SixLabors.ImageSharp (NuGet)
Affected versions
< 2.1.11
>= 3.0.0, < 3.1.11
Patched versions
2.1.11
3.1.11
Impact
A specially crafted GIF file containing a malformed comment extension block (with a missing block terminator) can cause the ImageSharp GIF decoder to enter an infinite loop while attempting to skip the block. This leads to a denial of service. Applications processing untrusted GIF input should upgrade to a patched version.
Patches
The problem has been patched. All users are advised to upgrade to v3.1.11 or v2.1.11.
Workarounds
None.
References
- GHSA-rxmq-m78w-7wmc
- SixLabors/ImageSharp#2953
- SixLabors/ImageSharp@55e4926
- SixLabors/ImageSharp@833f3ce
Published to the GitHub Advisory Database
Jul 30, 2025
Last updated
Jul 30, 2025