DiceBear’s @dicebear/converter library prior to version 9.4.0 contains a memory allocation flaw within its ensureSize() function. The function reads the width and height attributes supplied in an input SVG to calculate the output canvas size for rasterization, leading to uncontrolled memory allocation. An attacker who can supply a crafted SVG with extremely large dimensions (for example, width="999999999") could force the server to allocate an excessive amount of memory, causing a denial of service. The weakness is identified as CWE-770, Memory Allocation or Reallocation with Excessive Size, and impacts availability; it does not directly compromise confidentiality or integrity.

All versions of the DiceBear library before 9.4.0 are affected. The vulnerability can be exercised in server‑side applications that pass untrusted or user‑supplied SVGs to the converter’s toPng(), toJpeg(), toWebp(), or toAvif() functions. Applications that only generate internal DexBear avatars are less likely to be exploitable but are still recommended to upgrade because the insecure code path remains present until version 9.4.0 is deployed. The affected product is dicebear:dicebear across all unspecified versions, as indicated by the CPE entry.

The CVSS base score is 7.5, reflecting a high severity. The EPSS score is reported as less than 1%, suggesting a low current probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is server‑side exploitation: a web application that accepts user‑submitted SVG files and processes them through the DiceBear converter. Exploitation requires the ability to control the SVG’s dimensions; once an extreme size triggers memory allocation, the application may crash or become unresponsive. Given the high impact and modest exploitation likelihood, organizations should consider this a high‑priority patching opportunity.