प्लेटफ़ॉर्म
nodejs
घटक
svgo
में ठीक किया गया
2.1.1
3.0.1
4.0.1
2.8.2
3.3.4
4.0.2
2.8.1
CVE-2026-29074 describes a Denial of Service (DoS) vulnerability within SVGO, a Node.js library used for optimizing SVG images. An attacker can exploit this flaw by providing a specially crafted XML file containing custom entities, leading to excessive memory consumption and potential crashes of the Node.js process. This vulnerability affects versions prior to 2.8.1, and a fix is available in version 2.8.1.
The core of this vulnerability lies in SVGO's handling of XML files with custom entities. The library, relying on the sax XML parser, allows for entity expansion and recursion without sufficient safeguards. A malicious actor can construct a small XML file (approximately 811 bytes) that, when processed by SVGO, triggers uncontrolled entity expansion. This expansion rapidly consumes memory, ultimately leading to a JavaScript heap out of memory error and crashing the Node.js application. The blast radius extends to any application utilizing SVGO to process SVG images, potentially disrupting services and causing downtime. The ease of crafting a malicious XML file makes this vulnerability particularly concerning.
This vulnerability was publicly disclosed on 2026-03-04. There is currently no indication of active exploitation campaigns targeting CVE-2026-29074. The vulnerability's simplicity and reliance on XML manipulation suggest a potential for easy exploitation, though no public proof-of-concept (PoC) has been widely released. Its severity is rated HIGH (CVSS 7.5).
Applications and services that utilize SVGO for SVG image optimization are at risk. This includes web applications, build pipelines, and any automated processes that process SVG files. Specifically, projects relying on older versions of SVGO (prior to 2.8.1) and those lacking robust input validation are particularly vulnerable.
• nodejs / supply-chain: Monitor Node.js processes for excessive memory consumption and JavaScript heap out of memory errors.
ps aux | grep node | awk '{print $6, $7}' | sort -n• nodejs / supply-chain: Check for SVGO versions prior to 2.8.1 installed in your project dependencies.
npm ls svgo• generic web: Examine web server access logs for requests containing XML files with unusual or deeply nested custom entities. Look for patterns indicative of entity expansion attempts.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.06% (17% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-29074 is to upgrade SVGO to version 2.8.1 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing input validation to prevent the processing of XML files with potentially malicious custom entities. Specifically, validate the XML structure and restrict the use of custom entities. Additionally, consider implementing resource limits within your Node.js application to prevent a single process from consuming excessive memory. After upgrading, confirm the fix by attempting to process a known malicious XML file (if available) and verifying that the application does not crash or exhibit excessive memory consumption.
Actualice la biblioteca SVGO a la versión 2.8.1, 3.3.3 o 4.0.1 o superior. Esto corrige la vulnerabilidad de expansión de entidades XML (Billion Laughs) que puede provocar una denegación de servicio.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-29074 is a Denial of Service vulnerability in SVGO, a Node.js library, where malicious XML files can cause memory exhaustion and application crashes.
You are affected if you are using SVGO versions prior to 2.8.1 and processing untrusted XML files.
Upgrade SVGO to version 2.8.1 or later. If upgrading isn't possible, implement input validation to restrict custom entities in XML files.
There is currently no confirmed active exploitation of CVE-2026-29074, but its simplicity suggests a potential for future exploitation.
Refer to the SVGO project's repository and release notes for the official advisory and details on the fix: [https://github.com/svg/svgo](https://github.com/svg/svgo)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।