Plattform
nodejs
Komponente
svgo
Behoben in
2.1.1
3.0.1
4.0.1
2.8.2
3.3.4
4.0.2
2.8.1
CVE-2026-29074 describes a Denial of Service (DoS) vulnerability within SVGO, a Node.js library used for optimizing SVG images. An attacker can exploit this flaw by providing a specially crafted XML file containing custom entities, leading to excessive memory consumption and potential crashes of the Node.js process. This vulnerability impacts versions of SVGO prior to 2.8.1, and a patch has been released to address the issue.
The primary impact of CVE-2026-29074 is a denial of service. An attacker can trigger a crash in the Node.js process handling SVGO, effectively disrupting the application's ability to process SVG images. This can lead to service unavailability and potential data loss if the application relies on SVGO for critical operations. The vulnerability stems from SVGO's handling of custom XML entities without proper safeguards against expansion or recursion. A small, malicious XML file can trigger an exponential increase in memory usage, ultimately exhausting the available heap space and causing the application to terminate. This is similar to other XML processing vulnerabilities where unbounded expansion leads to resource exhaustion.
CVE-2026-29074 was publicly disclosed on 2026-03-04. The vulnerability is not currently listed on CISA KEV, and its EPSS score is pending evaluation. There are no known public proof-of-concept exploits available at this time, but the nature of the vulnerability suggests that it could be relatively easy to exploit given a basic understanding of XML and SVG.
Applications and services that utilize SVGO for SVG image optimization are at risk. This includes web applications, build pipelines, and any automated processes that process SVG files. Specifically, projects relying on older versions of SVGO (prior to 2.8.1) and those lacking robust input validation are particularly vulnerable.
• nodejs / supply-chain: Monitor Node.js processes for excessive memory consumption and JavaScript heap out of memory errors.
ps aux | grep node | awk '{print $6, $7}' | sort -n• nodejs / supply-chain: Check for SVGO versions prior to 2.8.1 installed in your project dependencies.
npm ls svgo• generic web: Examine web server access logs for requests containing XML files with unusual or deeply nested custom entities. Look for patterns indicative of entity expansion attempts.
disclosure
Exploit-Status
EPSS
0.06% (17% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2026-29074 is to upgrade SVGO to version 2.8.1 or later, which includes a fix for the vulnerability. If upgrading is not immediately feasible, consider implementing input validation to sanitize XML files before processing them with SVGO. Specifically, restrict the use of custom XML entities or implement strict limits on their expansion depth. Web application firewalls (WAFs) configured to detect and block malicious XML payloads could also provide a layer of defense. There are no specific Sigma or YARA rules available at this time, but monitoring Node.js process memory usage for sudden spikes could indicate exploitation.
Aktualisieren Sie die SVGO-Bibliothek auf Version 2.8.1, 3.3.3 oder 4.0.1 oder höher. Dies behebt die XML-Entitätserweiterungsschwachstelle (Billion Laughs), die zu einem Denial-of-Service führen kann.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-29074 is a Denial of Service vulnerability in SVGO, a Node.js library, where malicious XML files can cause memory exhaustion and application crashes.
You are affected if you are using SVGO versions prior to 2.8.1 and processing untrusted XML files.
Upgrade SVGO to version 2.8.1 or later. If upgrading isn't possible, implement input validation to restrict custom entities in XML files.
There is currently no confirmed active exploitation of CVE-2026-29074, but its simplicity suggests a potential for future exploitation.
Refer to the SVGO project's repository and release notes for the official advisory and details on the fix: [https://github.com/svg/svgo](https://github.com/svg/svgo)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.