What is the CVSS score of CVE-2026-29074?

CVE-2026-29074 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Node.js are affected by CVE-2026-29074?

SVGO, a widely-used SVG optimization library, contains a denial-of-service vulnerability that allows attackers to crash applications and services using maliciously crafted SVG files.. A patch is available.

Is there a public PoC exploit available for CVE-2026-29074?

Yes, a public proof-of-concept exploit is available for CVE-2026-29074. Prioritise patching immediately. EPSS: 0.1%.

Node.js CVE-2026-29074

HIGH

Improper Restriction of Recursive Entity References in DTDs (CWE-776)

2026-03-06 security-advisories@github.com

GHSA-xpqw-6gx7-v673

Denial Of Service Node.js Golang Red Hat Svgo Suse

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

PoC Detected

Mar 10, 2026 - 19:02 vuln.today

Public exploit code

CVE Published

Mar 06, 2026 - 08:16 nvd

HIGH 7.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 npm packages depend on svgo (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.1.0.

DescriptionNVD

SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.

AnalysisAI

Denial of service in SVGO versions 2.1.0-2.8.0, 3.0.0-3.3.2, and before 4.0.1 allows unauthenticated attackers to crash the Node.js process through XML entity expansion attacks, with a minimal 811-byte payload triggering heap exhaustion. Public exploit code exists for this vulnerability, and no patch is currently available. …

RemediationAI

Within 24 hours: Identify all internal systems and dependencies using SVGO (versions 2.1.0-2.8.0, 3.0.0-3.3.2, and 4.0.0) through software composition analysis and inventory review. Within 7 days: Implement compensating controls (input validation, request timeouts, rate limiting) on all systems accepting SVG uploads until patches are available; communicate patch timeline to stakeholders. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory