CVE-2026-29074
📋 TL;DR
SVGO versions 2.1.0-2.8.0, 3.0.0-3.3.2, and before 4.0.1 are vulnerable to XML entity expansion attacks. Attackers can craft small malicious SVG files that cause denial of service by crashing Node.js processes with out-of-memory errors. This affects any application or service using vulnerable SVGO versions to process SVG files.
💻 Affected Systems
- SVGO (SVG Optimizer)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for applications processing SVG files, potentially crashing entire Node.js processes and disrupting services.
Likely Case
Service disruption when processing malicious SVG files, leading to application crashes and downtime.
If Mitigated
Minimal impact with proper input validation and updated versions, though performance degradation may occur during attack attempts.
🎯 Exploit Status
Exploitation requires only a malicious SVG file. The advisory includes proof-of-concept XML demonstrating the attack.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8.1, 3.3.3, or 4.0.1
Vendor Advisory: https://github.com/svg/svgo/security/advisories/GHSA-xpqw-6gx7-v673
Restart Required: Yes
Instructions:
1. Identify SVGO version in package.json or via npm list. 2. Update to patched version: npm update svgo@latest or specify exact version: npm install svgo@2.8.1, svgo@3.3.3, or svgo@4.0.1. 3. Restart any running Node.js applications using SVGO.
🔧 Temporary Workarounds
Input validation for SVG files
allImplement XML entity validation before passing files to SVGO
Implement custom XML parser with entity expansion limits
Rate limiting SVG processing
allLimit concurrent SVG processing and implement timeouts
Set Node.js --max-old-space-size flag to limit memory
Implement processing timeouts in application code
🧯 If You Can't Patch
- Implement strict file upload validation rejecting SVG files with XML entities
- Run SVGO in isolated containers with memory limits and automatic restart on crash
🔍 How to Verify
Check if Vulnerable:
Check package.json for SVGO version or run: npm list svgoCheck Version:
npm list svgo | grep svgoVerify Fix Applied:
Confirm version is 2.8.1+, 3.3.3+, or 4.0.1+ via npm list svgo📡 Detection & Monitoring
Log Indicators:
- Node.js heap out of memory errors
- Process crashes during SVG processing
- Unusually high memory usage spikes
Network Indicators:
- Increased failed requests to SVG processing endpoints
- Service degradation for SVG-related functionality
SIEM Query:
source="application.logs" AND ("heap out of memory" OR "FATAL ERROR") AND process="node"