Description
SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.
Published: 2026-03-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via XML entity expansion
Action: Immediate Patch
AI Analysis

Impact

SVGO, a Node.js library that optimizes SVG files, parses XML with custom entities without limiting expansion. The flaw allows an attacker to supply a deceptively small XML document that expands multiple times, exhausting the JavaScript heap and causing the application to stall or crash. This results in a denial‑of‑service condition for any process that uses SVGO to optimize SVG input.

Affected Systems

The vulnerability affects the SVGO Node.js library and command‑line tool. Versions 2.1.0 through 2.8.0, 3.0.0 through 3.3.2, and any 4.0.0 prior to 4.0.1 are impacted. The issue was fixed in version 2.8.1, 3.3.3, and 4.0.1.

Risk and Exploitability

This vulnerability carries a CVSS score of 7.5 and an EPSS under 1 %, indicating a high severity but a low likelihood of widespread exploitation. It is not listed in the CISA KEV catalog. The exploitation path typically involves an attacker supplying a crafted SVG file to an application that processes SVG via SVGO. Successful exploitation leads to memory exhaustion and a process crash, effectively denying service to legitimate users.

Generated by OpenCVE AI on April 16, 2026 at 11:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to SVGO 2.8.1, 3.3.3, or 4.0.1, or any later release that contains the fix.
  • If an upgrade is not immediately possible, remove or disable "custom entity handling" in SVGO or pre‑sanitize SVG input with an external XML parser that blocks entity expansion.
  • Enforce strict resource limits on the Node.js process (e.g., memory caps or timeout settings) and validate the size of SVG files before passing them to SVGO.

Generated by OpenCVE AI on April 16, 2026 at 11:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xpqw-6gx7-v673 SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)
History

Sat, 14 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Svgo
Svgo svgo
CPEs cpe:2.3:a:svgo:svgo:*:*:*:*:*:node.js:*:*
Vendors & Products Svgo
Svgo svgo

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Svg
Svg svgo
Vendors & Products Svg
Svg svgo

Fri, 06 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
Description SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.
Title SVGO: DoS through entity expansion in DOCTYPE (Billion Laughs)
Weaknesses CWE-776
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Svg Svgo
Svgo Svgo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:05:10.968Z

Reserved: 2026-03-03T20:51:43.482Z

Link: CVE-2026-29074

cve-icon Vulnrichment

Updated: 2026-03-06T15:59:58.148Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T08:16:26.920

Modified: 2026-03-10T19:02:54.257

Link: CVE-2026-29074

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-06T07:23:05Z

Links: CVE-2026-29074 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses