CVE-2026-29112: Uncontrolled memory allocation via crafted SVG dimensions in @dicebear/converter
The ensureSize() function in @dicebear/converter (versions < 9.4.0) read the width and height attributes from the input SVG to determine the output canvas size for rasterization (PNG, JPEG, WebP, AVIF). An attacker who can supply a crafted SVG with extremely large dimensions (e.g. width="999999999") could force the server to allocate excessive memory, leading to denial of service.
This primarily affects server-side applications that pass untrusted or user-supplied SVGs to the converter’s toPng(), toJpeg(), toWebp(), or toAvif() functions. Applications that only convert self-generated DiceBear avatars are not practically exploitable, but are still recommended to upgrade.
References
- github.com/advisories/GHSA-v3r3-4qgc-vw66
- github.com/dicebear/dicebear
- github.com/dicebear/dicebear/commit/42a59eac46a3c68598859e608ec45e578b27614a
- github.com/dicebear/dicebear/releases/tag/v9.4.0
- github.com/dicebear/dicebear/security/advisories/GHSA-v3r3-4qgc-vw66
- nvd.nist.gov/vuln/detail/CVE-2026-29112
Code Behaviors & Features
Detect and mitigate CVE-2026-29112 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →