Bug 2445132 (CVE-2026-29074)

Summary: CVE-2026-29074 svgo: SVGO: Denial of Service via XML entity expansion
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abarbaro, akostadi, alcohan, alizardo, amasferr, aschwart, asoldano, bbaranow, bbrownin, bdettelb, bmaxwell, boliveir, brian.stansberry, caswilli, cmah, darran.lofthouse, dmayorov, doconnor, dosoudil, drosa, dschmidt, eaguilar, ebaron, erezende, eric.wittmann, fjuma, gmalinko, gparvin, istudens, ivassile, iweiss, janstey, jbalunas, jchui, jhe, jkoehler, jlanda, jlledo, jolong, jwong, kaycoth, kshier, ktsao, lchilton, lphiri, mnovotny, mosmerov, mposolda, msvehla, mwringe, nboldt, nipatil, nwallace, omaciel, pahickey, pantinor, pberan, pbizzarr, pdelbell, pesilva, pjindal, pmackay, psrna, rhaigner, rkubis, rmartinc, rstancel, rstepani, sausingh, sdawley, sfeifer, simaishi, smaestri, smcdonal, ssilvert, stcannon, sthorger, teagle, tom.jenkinson, tsedmik, ttakamiy, vmuzikar, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in SVGO, an SVG (Scalable Vector Graphics) Optimizer. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by submitting a specially crafted XML file. The application's failure to properly guard against XML entity expansion or recursion can lead to the Node.js process consuming excessive memory and crashing.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2445364, 2445365, 2445367, 2445368, 2445373, 2445374, 2445375, 2445377, 2445362, 2445363, 2445366, 2445369, 2445370, 2445371, 2445372, 2445376, 2445378    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-06 08:01:29 UTC 
SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.