CVE-2026-33418: SVG Dimension Capping Bypass via XML Comment Injection in @dicebear/converter ensureSize()

March 20, 2026

The ensureSize() function in @dicebear/converter used a regex-based approach to rewrite SVG width/height attributes, capping them at 2048px to prevent denial of service. This size capping could be bypassed by crafting SVG input that causes the regex to match a non-functional occurrence of <svg before the actual SVG root element. When the SVG is subsequently rendered via @resvg/resvg-js on the Node.js code path, it renders at the attacker-specified dimensions, potentially causing out-of-memory crashes.

References

github.com/advisories/GHSA-7j2x-32w6-p43p
github.com/dicebear/dicebear
github.com/dicebear/dicebear/security/advisories/GHSA-7j2x-32w6-p43p
nvd.nist.gov/vuln/detail/CVE-2026-33418

Code Behaviors & Features

Detect and mitigate CVE-2026-33418 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →