CVE-2026-29074: SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)

March 4, 2026 (updated March 6, 2026)

SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory.

References

github.com/advisories/GHSA-xpqw-6gx7-v673
github.com/svg/svgo
github.com/svg/svgo/security/advisories/GHSA-xpqw-6gx7-v673
nvd.nist.gov/vuln/detail/CVE-2026-29074

Code Behaviors & Features

Detect and mitigate CVE-2026-29074 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →