From 3aeeff48cdf9d6a6478231fd66a12d964ffe5540 Mon Sep 17 00:00:00 2001
From: Webysther Sperandio <webysther@gmail.com>
Date: Mon, 20 Apr 2026 07:43:23 +0200
Subject: [PATCH] Fix security decompression bombs

---
 server/src/repositories/media.repository.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/src/repositories/media.repository.ts b/server/src/repositories/media.repository.ts
index 58e006171a..6b4340fb7e 100644
--- a/server/src/repositories/media.repository.ts
+++ b/server/src/repositories/media.repository.ts
@@ -186,7 +186,7 @@ export class MediaRepository {
     let pipeline = sharp(input, {
       // some invalid images can still be processed by sharp, but we want to fail on them by default to avoid crashes
       failOn: options.processInvalidImages ? 'none' : 'error',
-      limitInputPixels: false,
+      limitInputPixels: 1000000000,
       raw: options.raw,
       unlimited: true,
     })
@@ -313,7 +313,7 @@ export class MediaRepository {
   }
 
   async getImageMetadata(input: string | Buffer): Promise<ImageDimensions & { isTransparent: boolean }> {
-    const { width = 0, height = 0, hasAlpha = false } = await sharp(input).metadata();
+    const { width = 0, height = 0, hasAlpha = false } = await sharp(input, {limitInputPixels: 1000000000}).metadata();
     return { width, height, isTransparent: hasAlpha };
   }