How to fix CVE-2026-29112?

Q: How to fix CVE-2026-29112?

Within 24 hours: Identify all applications using @dicebear/converter and assess whether they process untrusted SVG inputs. Within 7 days: Deploy version 9.4.0 or later to all affected systems; coordinate with development and DevOps teams for testing and staging validation. Within 30 days: Verify patch deployment across all production environments and update dependency scanning tools to prevent regression.

CVE-2026-29112

HIGH

2026-03-16 https://github.com/dicebear/dicebear

GHSA-v3r3-4qgc-vw66

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 17:20 vuln.today

Patch Released

Mar 16, 2026 - 17:20 nvd

Patch available

CVE Published

Mar 16, 2026 - 16:15 nvd

HIGH 7.5

Description

### Impact The `ensureSize()` function in `@dicebear/converter` (versions < 9.4.0) read the `width` and `height` attributes from the input SVG to determine the output canvas size for rasterization (PNG, JPEG, WebP, AVIF). An attacker who can supply a crafted SVG with extremely large dimensions (e.g. `width="999999999"`) could force the server to allocate excessive memory, leading to denial of service. This primarily affects server-side applications that pass **untrusted or user-supplied SVGs** to the converter's `toPng()`, `toJpeg()`, `toWebp()`, or `toAvif()` functions. Applications that only convert self-generated DiceBear avatars are not practically exploitable, but are still recommended to upgrade. ### Patches Fixed in version **9.4.0**. The `ensureSize()` function no longer reads SVG attributes to determine output size. Instead, a new `size` option (default: 512, max: 2048) controls the output dimensions. Invalid values (NaN, negative, zero, Infinity) fall back to the default. ### Workarounds If upgrading is not immediately possible, validate and sanitize the `width` and `height` attributes of any untrusted SVG input before passing it to the converter.

Analysis

The @dicebear/converter library before version 9.4.0 fails to validate SVG dimension attributes, allowing attackers to trigger excessive memory allocation by providing crafted SVGs with extremely large width and height values. Server-side applications processing untrusted or user-supplied SVGs through the conversion functions (toPng, toJpeg, toWebp, toAvif) are vulnerable to denial of service attacks. …

Remediation

Within 24 hours: Identify all applications using @dicebear/converter and assess whether they process untrusted SVG inputs. Within 7 days: Deploy version 9.4.0 or later to all affected systems; coordinate with development and DevOps teams for testing and staging validation. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

CVE-2026-29112 vulnerability details – vuln.today

Back

CVE-2026-29112

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-29112

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code