stb is a single-file public domain library for C/C. stb_image.h is one of the image loaders. stb stb_image.h is vulnerable, and an attacker could use stb_image to crash the service or read up to 1024 bytes of non-contiguous heap data without controlling where it is read.