@dicebear/converter ensureSize() Vulnerable to SVG Dimension Capping Bypass via XML Comment Injection
Description
DiceBear is an avatar library for designers and developers. Prior to version 9.4.2, the ensureSize() function in @dicebear/converter used a regex-based approach to rewrite SVG width/height attributes, capping them at 2048px to prevent denial of service. This size capping could be bypassed by crafting SVG input that causes the regex to match a non-functional occurrence of <svg before the actual SVG root element. When the SVG is subsequently rendered via @resvg/resvg-js on the Node.js code path, it renders at the attacker-specified dimensions, potentially causing out-of-memory crashes. In version 9.4.2, the regex-based approach has been replaced with XML-aware processing using fast-xml-parser to correctly identify and modify the SVG root element's attributes. Additionally, a fitTo constraint has been added to the renderAsync call as defense-in-depth, ensuring the rendered output is always bounded regardless of SVG content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@dicebear/converternpm | < 9.4.2 | 9.4.2 |
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-7j2x-32w6-p43pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33418ghsaADVISORY
- github.com/dicebear/dicebear/security/advisories/GHSA-7j2x-32w6-p43pghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.