Platform
nodejs
Component
svgo
Fixed in
2.1.1
3.0.1
4.0.1
2.8.2
3.3.4
4.0.2
2.8.1
CVE-2026-29074 describes a Denial of Service (DoS) vulnerability within SVGO, a Node.js library used for optimizing SVG images. An attacker can exploit this flaw by providing a specially crafted XML file containing custom entities, leading to excessive memory consumption and potential crashes of the Node.js process. This vulnerability affects versions prior to 2.8.1, and a fix is available in version 2.8.1.
The core of this vulnerability lies in SVGO's handling of XML files with custom entities. The library, relying on the sax XML parser, allows for entity expansion and recursion without sufficient safeguards. A malicious actor can construct a small XML file (approximately 811 bytes) that, when processed by SVGO, triggers uncontrolled entity expansion. This expansion rapidly consumes memory, ultimately leading to a JavaScript heap out of memory error and crashing the Node.js application. The blast radius extends to any application utilizing SVGO to process SVG images, potentially disrupting services and causing downtime. The ease of crafting a malicious XML file makes this vulnerability particularly concerning.
This vulnerability was publicly disclosed on 2026-03-04. There is currently no indication of active exploitation campaigns targeting CVE-2026-29074. The vulnerability's simplicity and reliance on XML manipulation suggest a potential for easy exploitation, though no public proof-of-concept (PoC) has been widely released. Its severity is rated HIGH (CVSS 7.5).
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-29074 is to upgrade SVGO to version 2.8.1 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing input validation to prevent the processing of XML files with potentially malicious custom entities. Specifically, validate the XML structure and restrict the use of custom entities. Additionally, consider implementing resource limits within your Node.js application to prevent a single process from consuming excessive memory. After upgrading, confirm the fix by attempting to process a known malicious XML file (if available) and verifying that the application does not crash or exhibit excessive memory consumption.
Update the SVGO library to version 2.8.1, 3.3.3, or 4.0.1 or higher. This corrects the XML entity expansion (Billion Laughs) vulnerability that can lead to a denial of service.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-29074 is a Denial of Service vulnerability in SVGO, a Node.js library, where malicious XML files can cause memory exhaustion and application crashes.
You are affected if you are using SVGO versions prior to 2.8.1 and processing untrusted XML files.
Upgrade SVGO to version 2.8.1 or later. If upgrading isn't possible, implement input validation to restrict custom entities in XML files.
There is currently no confirmed active exploitation of CVE-2026-29074, but its simplicity suggests a potential for future exploitation.
Refer to the SVGO project's repository and release notes for the official advisory and details on the fix: [https://github.com/svg/svgo](https://github.com/svg/svgo)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.