CVE-2026-33418

Name of the Vulnerable Software and Affected Versions @dicebear/converter versions prior to 9.4.2

Description The ensureSize() function in @dicebear/converter previously used a regex-based method to limit SVG width and height attributes to 2048px to prevent denial of service. This limitation could be bypassed by providing SVG input that caused the regex to incorrectly match a non-functional <svg tag before the actual SVG root element. When processed by @resvg/resvg-js on the Node.js code path, the SVG would render at the attacker-specified dimensions, potentially leading to out-of-memory crashes. The issue stemmed from using String.prototype.replace() with a non-global regex, which failed to distinguish between the actual SVG root element and other <svg occurrences within the input. The Node.js rendering path lacked a fitTo constraint in the renderAsync call, allowing unbounded rendering. The browser code path is not affected.

Recommendations Update to @dicebear/converter version 9.4.2 or later.