CVE-2025-67419: evershop allows unauthenticated attackers to exhaust application server's resources via "GET /images" API

January 5, 2026

A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the application server’s resources via the “GET /images” API. The application fails to limit the height of the use-element shadow tree or the dimensions of pattern tiles during the processing of SVG files, resulting in unbounded resource consumption and system-wide denial of service.

References

github.com/advisories/GHSA-m2q5-xhqg-92r2
github.com/dos-m0nk3y/CVE/tree/main/CVE-2025-67419
github.com/evershopcommerce/evershop
nvd.nist.gov/vuln/detail/CVE-2025-67419
pages.dos-m0nk3y.com/blog/EverShop%202.1.0%20-%20Unauthenticated%20DoS/

Code Behaviors & Features

Detect and mitigate CVE-2025-67419 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →