Bug 2445132 (CVE-2026-29074) - CVE-2026-29074 svgo: SVGO: Denial of Service via XML entity expansion
Summary: CVE-2026-29074 svgo: SVGO: Denial of Service via XML entity expansion
Keywords:
Status: NEW
Alias: CVE-2026-29074
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2445364 2445365 2445367 2445368 2445373 2445374 2445375 2445377 2445362 2445363 2445366 2445369 2445370 2445371 2445372 2445376 2445378
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-06 08:01 UTC by OSIDB Bzimport
Modified: 2026-03-13 16:31 UTC (History)
84 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-06 08:01:29 UTC 
SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.
Note You need to log in before you can comment on or make changes to this bug.