CVE-2026-29074 (GCVE-0-2026-29074)

Vulnerability from cvelistv5 – Published: 2026-03-06 07:23 – Updated: 2026-03-06 16:05
VLAI
Title
SVGO: DoS through entity expansion in DOCTYPE (Billion Laughs)
Summary
SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.
Severity
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Assigner
References
Impacted products
Vendor Product Version
svg svgo Affected: >= 2.1.0, < 2.8.1
Affected: >= 3.0.0, < 3.3.3
Affected: = 4.0.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29074",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-06T15:59:57.009864Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-06T16:05:10.968Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "svgo",
          "vendor": "svg",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.1.0, \u003c 2.8.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.3.3"
            },
            {
              "status": "affected",
              "version": "= 4.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-776",
              "description": "CWE-776: Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T07:23:05.716Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/svg/svgo/security/advisories/GHSA-xpqw-6gx7-v673",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/svg/svgo/security/advisories/GHSA-xpqw-6gx7-v673"
        }
      ],
      "source": {
        "advisory": "GHSA-xpqw-6gx7-v673",
        "discovery": "UNKNOWN"
      },
      "title": "SVGO: DoS through entity expansion in DOCTYPE (Billion Laughs)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29074",
    "datePublished": "2026-03-06T07:23:05.716Z",
    "dateReserved": "2026-03-03T20:51:43.482Z",
    "dateUpdated": "2026-03-06T16:05:10.968Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-29074",
      "date": "2026-06-06",
      "epss": "0.00085",
      "percentile": "0.24798"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-29074\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-06T08:16:26.920\",\"lastModified\":\"2026-03-10T19:02:54.257\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.\"},{\"lang\":\"es\",\"value\":\"SVGO, abreviatura de SVG Optimizer, es una librer\u00eda de Node.js y una aplicaci\u00f3n de l\u00ednea de comandos para optimizar archivos SVG. Desde la versi\u00f3n 2.1.0 hasta antes de la versi\u00f3n 2.8.1, desde la versi\u00f3n 3.0.0 hasta antes de la versi\u00f3n 3.3.3, y antes de la versi\u00f3n 4.0.1, SVGO acepta XML con entidades personalizadas, sin protecciones contra la expansi\u00f3n o recursi\u00f3n de entidades. Esto puede resultar en que un archivo XML peque\u00f1o (811 bytes) bloquee la aplicaci\u00f3n e incluso colapse el proceso de Node.js con agotamiento de memoria del heap de JavaScript. Este problema ha sido corregido en las versiones 2.8.1, 3.3.3 y 4.0.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-776\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:svgo:svgo:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"2.1.0\",\"versionEndExcluding\":\"2.8.1\",\"matchCriteriaId\":\"9D99C9CE-B129-4A28-81C1-D9D05B9D76A2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:svgo:svgo:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.3.3\",\"matchCriteriaId\":\"5883275C-B31D-48E7-91F3-5D21C9D52FFD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:svgo:svgo:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.0.1\",\"matchCriteriaId\":\"7553DDA9-8F92-4A46-844E-3DF65F3E2847\"}]}]}],\"references\":[{\"url\":\"https://github.com/svg/svgo/security/advisories/GHSA-xpqw-6gx7-v673\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-29074\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-06T15:59:57.009864Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-06T15:59:58.148Z\"}}], \"cna\": {\"title\": \"SVGO: DoS through entity expansion in DOCTYPE (Billion Laughs)\", \"source\": {\"advisory\": \"GHSA-xpqw-6gx7-v673\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"svg\", \"product\": \"svgo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.1.0, \u003c 2.8.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.0.0, \u003c 3.3.3\"}, {\"status\": \"affected\", \"version\": \"= 4.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/svg/svgo/security/advisories/GHSA-xpqw-6gx7-v673\", \"name\": \"https://github.com/svg/svgo/security/advisories/GHSA-xpqw-6gx7-v673\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-776\", \"description\": \"CWE-776: Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-06T07:23:05.716Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-29074\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-06T16:05:10.968Z\", \"dateReserved\": \"2026-03-03T20:51:43.482Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-06T07:23:05.716Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.