CVE-2026-29074

Name of the Vulnerable Software and Affected Versions SVGO versions 2.1.0 through 2.8.0 SVGO versions 3.0.0 through 3.3.2 SVGO versions prior to 4.0.1

Description SVGO is susceptible to a denial-of-service issue stemming from improper handling of XML custom entities. Specifically, the software does not adequately protect against entity expansion or recursion. A small, maliciously crafted XML file (approximately 811 bytes) can cause the application to stall or crash due to excessive memory consumption, resulting in a JavaScript heap out of memory error. The issue arises because SVGO utilizes an upstream XML parser that, by default, does not interpret custom XML entities. SVGO modifies the parser to support entities declared in the DOCTYPE, but this introduces the risk of exponential expansion when entities reference each other. This can be triggered when processing untrusted SVG input, potentially impacting server-side applications.

Recommendations SVGO versions 2.1.0 through 2.8.0: Upgrade to version 2.8.1 or later. SVGO versions 3.0.0 through 3.3.2: Upgrade to version 3.3.3 or later. SVGO versions prior to 4.0.1: Upgrade to version 4.0.1 or later.