Skip to main content

CVE-2026-29112

HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-03-16 https://github.com/dicebear/dicebear GHSA-v3r3-4qgc-vw66
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 16, 2026 - 17:20 vuln.today
Patch released
Mar 16, 2026 - 17:20 nvd
Patch available
CVE Published
Mar 16, 2026 - 16:15 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on @dicebear/converter (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 9.4.0.

DescriptionGitHub Advisory

Impact

The ensureSize() function in @dicebear/converter (versions < 9.4.0) read the width and height attributes from the input SVG to determine the output canvas size for rasterization (PNG, JPEG, WebP, AVIF). An attacker who can supply a crafted SVG with extremely large dimensions (e.g. width="999999999") could force the server to allocate excessive memory, leading to denial of service.

This primarily affects server-side applications that pass untrusted or user-supplied SVGs to the converter's toPng(), toJpeg(), toWebp(), or toAvif() functions. Applications that only convert self-generated DiceBear avatars are not practically exploitable, but are still recommended to upgrade.

Patches

Fixed in version 9.4.0. The ensureSize() function no longer reads SVG attributes to determine output size. Instead, a new size option (default: 512, max: 2048) controls the output dimensions. Invalid values (NaN, negative, zero, Infinity) fall back to the default.

Workarounds

If upgrading is not immediately possible, validate and sanitize the width and height attributes of any untrusted SVG input before passing it to the converter.

AnalysisAI

The @dicebear/converter library before version 9.4.0 fails to validate SVG dimension attributes, allowing attackers to trigger excessive memory allocation by providing crafted SVGs with extremely large width and height values. Server-side applications processing untrusted or user-supplied SVGs through the conversion functions (toPng, toJpeg, toWebp, toAvif) are vulnerable to denial of service attacks. A patch is available in version 9.4.0 and users should upgrade immediately if processing external SVG inputs.

Technical ContextAI

The @dicebear/converter library (CPE: pkg:npm/@dicebear_converter) is used to convert SVG files to raster formats like PNG, JPEG, WebP, and AVIF. The vulnerability stems from improper resource allocation (CWE-770) where the ensureSize() function directly reads width and height attributes from input SVG files without validation. When these attributes contain extremely large values like width='999999999', the converter attempts to allocate a correspondingly massive canvas buffer in memory. This design flaw allows untrusted input to directly control server resource consumption, a classic uncontrolled resource consumption pattern.

RemediationAI

Upgrade @dicebear/converter to version 9.4.0 or later, which implements a complete fix by replacing attribute-based sizing with a controlled size option (default 512px, max 2048px). The patch is available at https://github.com/dicebear/dicebear/commit/42a59eac46a3c68598859e608ec45e578b27614a with full release notes at https://github.com/dicebear/dicebear/releases/tag/v9.4.0. For systems unable to upgrade immediately, implement input validation to sanitize width and height attributes in untrusted SVGs before conversion, rejecting values above reasonable thresholds. See the full advisory at https://github.com/dicebear/dicebear/security/advisories/GHSA-v3r3-4qgc-vw66.

Share

CVE-2026-29112 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy