2445132 – (CVE-2026-29074) CVE-2026-29074 svgo: SVGO: Denial of Service via XML entity expansion

Bug 2445132 (CVE-2026-29074) - CVE-2026-29074 svgo: SVGO: Denial of Service via XML entity expansion

Summary: CVE-2026-29074 svgo: SVGO: Denial of Service via XML entity expansion

Keywords:
Status:	NEW
Alias:	CVE-2026-29074
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2445364 2445365 2445367 2445368 2445373 2445374 2445375 2445377 2445362 2445363 2445366 2445369 2445370 2445371 2445372 2445376 2445378
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-06 08:01 UTC by OSIDB Bzimport
Modified:	2026-05-04 14:15 UTC (History)
CC List:	92 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2026:13512	0	None	None	None	2026-05-04 14:15:44 UTC
Red Hat Product Errata	RHSA-2026:6277	0	None	None	None	2026-03-31 16:03:58 UTC

Description OSIDB Bzimport 2026-03-06 08:01:29 UTC

SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.

Comment 2 errata-xmlrpc 2026-03-31 16:03:52 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 9
  Red Hat Ansible Automation Platform 2.6 for RHEL 10

Via RHSA-2026:6277 https://access.redhat.com/errata/RHSA-2026:6277

Comment 3 errata-xmlrpc 2026-05-04 14:15:39 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2026:13512 https://access.redhat.com/errata/RHSA-2026:13512

Note You need to log in before you can comment on or make changes to this bug.

aazores
abarbaro
akostadi
alcohan
alizardo
amasferr
aschwart
asoldano
aszczucz
bbaranow
bbrownin
bdettelb
bmaxwell
boliveir
brian.stansberry
bstansbe
caswilli
cmah
darran.lofthouse
dlofthou
dmayorov
doconnor
dosoudil
drichtar
drosa
dschmidt
eaguilar
ebaron
erezende
eric.wittmann
ewittman
fjuma
gmalinko
gparvin
istudens
ivassile
iweiss
janstey
jbalunas
jchui
jhe
jkoehler
jlanda
jlledo
jolong
jwong
kaycoth
kshier
ktsao
lchilton
lphiri
mnovotny
mosmerov
mposolda
msvehla
mwringe
nboldt
nipatil
nwallace
oaljalju
omaciel
pahickey
pantinor
pberan
pbizzarr
pdelbell
pesilva
pjindal
pmackay
psrna
rhaigner
rkubis
rmartinc
rstancel
rstepani
sausingh
sdawley
sfeifer
simaishi
smaestri
smcdonal
ssilvert
stcannon
sthorger
teagle
thjenkin
tom.jenkinson
tsedmik
ttakamiy
vdosoudi
vmuzikar
yguenane