CVE-2026-29074 Overview
SVGO (SVG Optimizer), a widely-used Node.js library and command-line application for optimizing SVG files, contains a critical XML Entity Expansion vulnerability. The library accepts XML with custom entities without implementing proper guards against entity expansion or recursion. This vulnerability allows attackers to craft a small malicious SVG file (as small as 811 bytes) that can stall the application and potentially crash the Node.js process with a JavaScript heap out of memory error.
Critical Impact
A malicious SVG file can cause complete denial of service by exhausting available memory and crashing Node.js applications that use SVGO for SVG processing.
Affected Products
- SVGO versions 2.1.0 to before 2.8.1
- SVGO versions 3.0.0 to before 3.3.3
- SVGO versions before 4.0.1
Discovery Timeline
- 2026-03-06 - CVE-2026-29074 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2026-29074
Vulnerability Analysis
This vulnerability is classified as CWE-776 (Improper Restriction of Recursive Entity References in DTDs), commonly known as an XML "Billion Laughs" attack or XML bomb. The SVGO library's XML parser accepts and processes custom entity definitions without implementing safeguards against recursive or exponentially expanding entity references.
When processing SVG files, SVGO parses the XML content including any Document Type Definitions (DTD) that define custom entities. The vulnerability arises because the parser does not limit entity expansion depth or the total number of entity expansions. An attacker can craft a small SVG file that defines nested entities, where each entity references multiple copies of another entity, causing exponential memory consumption during parsing.
Root Cause
The root cause is the lack of proper input validation and resource limits in the XML parsing functionality. SVGO processes XML entities without implementing:
- Maximum entity expansion limits
- Recursion depth restrictions
- Total entity reference counting
- Memory consumption guards
This allows malicious XML content to trigger unbounded memory allocation during entity resolution.
Attack Vector
The attack can be executed remotely over the network against any application that uses SVGO to process user-supplied or untrusted SVG files. Common attack scenarios include:
- Web applications accepting SVG uploads for optimization
- CI/CD pipelines processing SVG assets from external sources
- Image processing services that use SVGO for SVG optimization
- Content management systems with SVG optimization features
The attack requires no authentication or special privileges, and no user interaction beyond submitting the malicious SVG file. The attacker crafts an SVG file containing a DTD with recursively defined entities that, when expanded, consume exponentially more memory than the original file size. A file as small as 811 bytes can exhaust the JavaScript heap, causing the Node.js process to crash with an out-of-memory error.
Detection Methods for CVE-2026-29074
Indicators of Compromise
- Unexpected Node.js process crashes with "JavaScript heap out of memory" errors
- Abnormal memory consumption spikes during SVG file processing
- Application hangs or unresponsiveness when handling SVG uploads
- Small SVG files with unusually large DTD sections or entity declarations
Detection Strategies
- Monitor Node.js process memory usage for sudden spikes during SVG processing operations
- Implement logging to track SVG file processing times and flag operations exceeding normal thresholds
- Review application logs for heap out of memory errors correlated with SVG processing events
- Scan incoming SVG files for suspicious DTD declarations or recursive entity patterns before processing
Monitoring Recommendations
- Configure Node.js process monitoring to alert on memory usage exceeding baseline thresholds
- Implement request timeout monitoring for SVG optimization endpoints
- Set up application health checks that detect unresponsive SVG processing services
- Monitor for patterns of repeated crashes or restarts in services using SVGO
How to Mitigate CVE-2026-29074
Immediate Actions Required
- Upgrade SVGO to patched versions: 2.8.1, 3.3.3, or 4.0.1 depending on your major version
- Audit all applications and build pipelines that use SVGO as a dependency
- Implement file size limits and processing timeouts for SVG uploads as defense-in-depth measures
- Consider temporarily disabling SVG optimization for untrusted content until patches are applied
Patch Information
The SVGO maintainers have released security patches addressing this vulnerability. Users should upgrade to the following fixed versions:
- Version 2.8.1 for users on the 2.x branch
- Version 3.3.3 for users on the 3.x branch
- Version 4.0.1 for users on the 4.x branch
For detailed information, refer to the GitHub Security Advisory.
Workarounds
- Pre-validate SVG files to reject those containing DTD declarations or entity definitions before passing to SVGO
- Implement memory limits on Node.js processes handling SVG files using --max-old-space-size
- Run SVG processing in isolated containers or sandboxed environments to limit impact of memory exhaustion
- Consider using alternative SVG optimization tools that properly handle entity expansion until patches are applied
# Example: Run Node.js with memory limits to contain impact
node --max-old-space-size=512 your-svg-processing-app.js
# Example: Check your installed SVGO version
npm list svgo
# Example: Upgrade to patched version
npm update svgo@latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
