Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') in svgo

CVE-2026-29074

svgo

High

7.5/10

Summary

SVGO is a Node.js library and command-line application for optimizing SVG files. Versions 2.1.0 through 2.8.0, 3.0.0 through 3.3.2, and versions prior to 4.0.1 accept XML with custom entities without guards against entity expansion or recursion. This may allow a small XML file, approximately 811 bytes, to stall the application or crash the Node.js process with a JavaScript heap out-of-memory condition. This issue is patched in versions 2.8.1, 3.3.3, and 4.0.1.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

References

Advisory

Advisory Timeline

Published Mar 06, 2026

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') in svgo

CVE-2026-29074

Summary

CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS