CVE-2026-29112
Received Received - Intake
Memory Exhaustion DoS in DiceBear SVG Converter (ensureSize

Publication date: 2026-03-18

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
DiceBear is an avatar library for designers and developers. Prior to version 9.4.0, the `ensureSize()` function in `@dicebear/converter` read the `width` and `height` attributes from the input SVG to determine the output canvas size for rasterization (PNG, JPEG, WebP, AVIF). An attacker who can supply a crafted SVG with extremely large dimensions (e.g. `width="999999999"`) could force the server to allocate excessive memory, leading to denial of service. This primarily affects server-side applications that pass untrusted or user-supplied SVGs to the converter's `toPng()`, `toJpeg()`, `toWebp()`, or `toAvif()` functions. Applications that only convert self-generated DiceBear avatars are not practically exploitable, but are still recommended to upgrade. This is fixed in version 9.4.0. The `ensureSize()` function no longer reads SVG attributes to determine output size. Instead, a new `size` option (default: 512, max: 2048) controls the output dimensions. Invalid values (NaN, negative, zero, Infinity) fall back to the default. If upgrading is not immediately possible, validate and sanitize the `width` and `height` attributes of any untrusted SVG input before passing it to the converter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29112
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dicebear dicebear to 9.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-29112 is a vulnerability in the DiceBear avatar library's @dicebear/converter package prior to version 9.4.0. The issue arises because the ensureSize() function reads the width and height attributes directly from input SVG files to determine the output canvas size for rasterization formats like PNG, JPEG, WebP, and AVIF."}, {'type': 'paragraph', 'content': 'An attacker can supply a crafted SVG with extremely large dimension values (for example, width="999999999") which causes the server to allocate excessive memory. This excessive memory allocation can lead to a denial of service (DoS) condition, making the application unavailable or unstable.'}, {'type': 'paragraph', 'content': 'The vulnerability mainly affects server-side applications that process untrusted or user-supplied SVGs using the toPng(), toJpeg(), toWebp(), or toAvif() functions. Applications that only convert self-generated DiceBear avatars are less likely to be exploitable but upgrading is still recommended.'}, {'type': 'paragraph', 'content': 'The issue was fixed in version 9.4.0 by removing the reading of SVG width and height attributes for output sizing. Instead, a new size option controls the output dimensions with a default of 512 pixels and a maximum of 2048 pixels. Invalid size values fall back to the default.'}] [1, 2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing an attacker to cause a denial of service (DoS) on your server-side application that uses the @dicebear/converter package to process SVG images.'}, {'type': 'paragraph', 'content': "If your application accepts untrusted or user-supplied SVGs and passes them to the converter's rasterization functions (toPng(), toJpeg(), toWebp(), or toAvif()), an attacker could supply an SVG with extremely large width and height attributes. This would force your server to allocate excessive memory, potentially exhausting resources and causing your application to crash or become unresponsive."}, {'type': 'paragraph', 'content': 'Applications that only convert self-generated DiceBear avatars are less likely to be affected, but it is still recommended to upgrade to mitigate any risk.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, it is advised to validate and sanitize the width and height attributes of any untrusted SVG inputs before passing them to the converter.'}] [2, 1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability arises when untrusted or user-supplied SVG files with extremely large width and height attributes are processed by the @dicebear/converter package prior to version 9.4.0. Detection involves identifying if your system or network processes SVG inputs through the toPng(), toJpeg(), toWebp(), or toAvif() functions of the vulnerable @dicebear/converter versions.'}, {'type': 'paragraph', 'content': 'To detect potential exploitation attempts, monitor for unusually large SVG files or SVGs containing extremely large width and height attribute values (e.g., width="999999999"). You can use commands to search for such SVG files or attributes in logs or input directories.'}, {'type': 'list_item', 'content': 'Use grep or similar tools to find SVG files with large dimension attributes, for example: grep -E \'width="[0-9]{7,}"|height="[0-9]{7,}"\' /path/to/svg/files'}, {'type': 'list_item', 'content': 'Monitor application logs for errors or crashes related to memory exhaustion during SVG processing.'}, {'type': 'list_item', 'content': 'Check the version of @dicebear/converter in use to confirm if it is prior to 9.4.0, which is vulnerable.'}] [1, 2, 3]

Mitigation Strategies

The primary mitigation is to upgrade the @dicebear/converter package to version 9.4.0 or later, where the vulnerability is fixed by removing reliance on SVG width and height attributes and introducing a controlled size option.

If upgrading immediately is not possible, validate and sanitize the width and height attributes of any untrusted SVG inputs before passing them to the converter to ensure they do not contain excessively large values.

  • Upgrade @dicebear/converter to version 9.4.0 or later.
  • Sanitize and validate SVG input dimensions to reject or limit extremely large width and height values.
  • Use the new size option introduced in version 9.4.0 to explicitly control output image dimensions, with a default of 512 pixels and a maximum of 2048 pixels.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29112. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart