Follow me on

Twitter: Scalar360

DOS in imgix CDN's image processing application by pixel flood


 Imgix through 2019-06-19 allows remote attackers to cause a denial of service (resource  consumption) by manipulating a small JPEG file to specify dimensions of 64250x64250 pixels, which is mishandled during an attempt to load the 'whole image' into memory.

The vulnerability I found in a private program where they were using imgix as cdn, when imgix try to process the crafted image it got DOS

Vulnerability Type

  Buffer Overflow
  Impact: Denial of Service

Vendor of Product


Affected Component 

image processing application and CDN

Attack Type 



  To exploit I upload a image. I have an image of 5kb, 260x260 pixels.
  In the image itself I exchange the 260x260 values with 0xfafa x 0xfafa
  (so 64250x64250 pixels). Now service imgix CDN tries to convert the
  image once uploaded. By loading the 'whole image' into memory, it
  tries to allocate 4128062500 pixels into memory, flooding the memory
  and causing DoS.
  500 Internal Server Error I received with 55,000+ latency by image CDN

Image can be downloaded from here:


Popular Posts