CVE-2026-29112
Memory Exhaustion DoS in DiceBear SVG Converter (ensureSize
Publication date: 2026-03-18
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dicebear | dicebear | to 9.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-29112 is a vulnerability in the DiceBear avatar library's @dicebear/converter package prior to version 9.4.0. The issue arises because the ensureSize() function reads the width and height attributes directly from input SVG files to determine the output canvas size for rasterization formats like PNG, JPEG, WebP, and AVIF."}, {'type': 'paragraph', 'content': 'An attacker can supply a crafted SVG with extremely large dimension values (for example, width="999999999") which causes the server to allocate excessive memory. This excessive memory allocation can lead to a denial of service (DoS) condition, making the application unavailable or unstable.'}, {'type': 'paragraph', 'content': 'The vulnerability mainly affects server-side applications that process untrusted or user-supplied SVGs using the toPng(), toJpeg(), toWebp(), or toAvif() functions. Applications that only convert self-generated DiceBear avatars are less likely to be exploitable but upgrading is still recommended.'}, {'type': 'paragraph', 'content': 'The issue was fixed in version 9.4.0 by removing the reading of SVG width and height attributes for output sizing. Instead, a new size option controls the output dimensions with a default of 512 pixels and a maximum of 2048 pixels. Invalid size values fall back to the default.'}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing an attacker to cause a denial of service (DoS) on your server-side application that uses the @dicebear/converter package to process SVG images.'}, {'type': 'paragraph', 'content': "If your application accepts untrusted or user-supplied SVGs and passes them to the converter's rasterization functions (toPng(), toJpeg(), toWebp(), or toAvif()), an attacker could supply an SVG with extremely large width and height attributes. This would force your server to allocate excessive memory, potentially exhausting resources and causing your application to crash or become unresponsive."}, {'type': 'paragraph', 'content': 'Applications that only convert self-generated DiceBear avatars are less likely to be affected, but it is still recommended to upgrade to mitigate any risk.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, it is advised to validate and sanitize the width and height attributes of any untrusted SVG inputs before passing them to the converter.'}] [2, 1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability arises when untrusted or user-supplied SVG files with extremely large width and height attributes are processed by the @dicebear/converter package prior to version 9.4.0. Detection involves identifying if your system or network processes SVG inputs through the toPng(), toJpeg(), toWebp(), or toAvif() functions of the vulnerable @dicebear/converter versions.'}, {'type': 'paragraph', 'content': 'To detect potential exploitation attempts, monitor for unusually large SVG files or SVGs containing extremely large width and height attribute values (e.g., width="999999999"). You can use commands to search for such SVG files or attributes in logs or input directories.'}, {'type': 'list_item', 'content': 'Use grep or similar tools to find SVG files with large dimension attributes, for example: grep -E \'width="[0-9]{7,}"|height="[0-9]{7,}"\' /path/to/svg/files'}, {'type': 'list_item', 'content': 'Monitor application logs for errors or crashes related to memory exhaustion during SVG processing.'}, {'type': 'list_item', 'content': 'Check the version of @dicebear/converter in use to confirm if it is prior to 9.4.0, which is vulnerable.'}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the @dicebear/converter package to version 9.4.0 or later, where the vulnerability is fixed by removing reliance on SVG width and height attributes and introducing a controlled size option.
If upgrading immediately is not possible, validate and sanitize the width and height attributes of any untrusted SVG inputs before passing them to the converter to ensure they do not contain excessively large values.
- Upgrade @dicebear/converter to version 9.4.0 or later.
- Sanitize and validate SVG input dimensions to reject or limit extremely large width and height values.
- Use the new size option introduced in version 9.4.0 to explicitly control output image dimensions, with a default of 512 pixels and a maximum of 2048 pixels.