VYPR
High severityNVD Advisory· Published Mar 24, 2026· Updated Mar 24, 2026

@dicebear/converter ensureSize() Vulnerable to SVG Dimension Capping Bypass via XML Comment Injection

CVE-2026-33418

Description

DiceBear is an avatar library for designers and developers. Prior to version 9.4.2, the ensureSize() function in @dicebear/converter used a regex-based approach to rewrite SVG width/height attributes, capping them at 2048px to prevent denial of service. This size capping could be bypassed by crafting SVG input that causes the regex to match a non-functional occurrence of <svg before the actual SVG root element. When the SVG is subsequently rendered via @resvg/resvg-js on the Node.js code path, it renders at the attacker-specified dimensions, potentially causing out-of-memory crashes. In version 9.4.2, the regex-based approach has been replaced with XML-aware processing using fast-xml-parser to correctly identify and modify the SVG root element's attributes. Additionally, a fitTo constraint has been added to the renderAsync call as defense-in-depth, ensuring the rendered output is always bounded regardless of SVG content.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@dicebear/converternpm
< 9.4.29.4.2

Affected products

2

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.