CVE-2026-29112

Name of the Vulnerable Software and Affected Versions DiceBear versions prior to 9.4.0

Description DiceBear is an avatar library used by designers and developers. A flaw exists in the ensureSize() function within the @dicebear/converter component, prior to version 9.4.0, where it reads the width and height attributes from input SVG files to determine the output canvas size for rasterization processes like PNG, JPEG, WebP, and AVIF conversion. An attacker can exploit this by providing a specially crafted SVG file with excessively large dimensions, such as width="999999999". This manipulation can force the server to allocate an excessive amount of memory, potentially leading to a denial-of-service condition. This issue primarily impacts server-side applications that process untrusted or user-supplied SVG files using the toPng(), toJpeg(), toWebp(), or toAvif() functions of the converter. While applications that only convert self-generated DiceBear avatars are not easily exploitable, upgrading is still recommended.

Recommendations Versions prior to 9.4.0 should be updated to version 9.4.0 or later. If an immediate upgrade is not possible, validate and sanitize the width and height attributes of any untrusted SVG input before passing it to the converter.