{"url":"http://public2.vulnerablecode.io/api/packages/967144?format=json","purl":"pkg:npm/%40dicebear/converter@5.0.0-beta.3","type":"npm","namespace":"@dicebear","name":"converter","version":"5.0.0-beta.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"9.4.2","latest_non_vulnerable_version":"9.4.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74075?format=json","vulnerability_id":"VCID-3bdu-mxdu-uqf1","summary":"DiceBear is an avatar library for designers and developers. Prior to version 9.4.0, the `ensureSize()` function in `@dicebear/converter` read the `width` and `height` attributes from the input SVG to determine the output canvas size for rasterization (PNG, JPEG, WebP, AVIF). An attacker who can supply a crafted SVG with extremely large dimensions (e.g. `width=\"999999999\"`) could force the server to allocate excessive memory, leading to denial of service. This primarily affects server-side applications that pass untrusted or user-supplied SVGs to the converter's `toPng()`, `toJpeg()`, `toWebp()`, or `toAvif()` functions. Applications that only convert self-generated DiceBear avatars are not practically exploitable, but are still recommended to upgrade. This is fixed in version 9.4.0. The `ensureSize()` function no longer reads SVG attributes to determine output size. Instead, a new `size` option (default: 512, max: 2048) controls the output dimensions. Invalid values (NaN, negative, zero, Infinity) fall back to the default. If upgrading is not immediately possible, validate and sanitize the `width` and `height` attributes of any untrusted SVG input before passing it to the converter.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29112","reference_id":"","reference_type":"","scores":[{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.19741","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29112"},{"reference_url":"https://github.com/dicebear/dicebear","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dicebear/dicebear"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29112","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29112"},{"reference_url":"https://github.com/dicebear/dicebear/commit/42a59eac46a3c68598859e608ec45e578b27614a","reference_id":"42a59eac46a3c68598859e608ec45e578b27614a","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:43:55Z/"}],"url":"https://github.com/dicebear/dicebear/commit/42a59eac46a3c68598859e608ec45e578b27614a"},{"reference_url":"https://github.com/advisories/GHSA-v3r3-4qgc-vw66","reference_id":"GHSA-v3r3-4qgc-vw66","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v3r3-4qgc-vw66"},{"reference_url":"https://github.com/dicebear/dicebear/security/advisories/GHSA-v3r3-4qgc-vw66","reference_id":"GHSA-v3r3-4qgc-vw66","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:43:55Z/"}],"url":"https://github.com/dicebear/dicebear/security/advisories/GHSA-v3r3-4qgc-vw66"},{"reference_url":"https://github.com/dicebear/dicebear/releases/tag/v9.4.0","reference_id":"v9.4.0","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:43:55Z/"}],"url":"https://github.com/dicebear/dicebear/releases/tag/v9.4.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375131?format=json","purl":"pkg:npm/%40dicebear/converter@9.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fe92-sddw-afcn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540dicebear/converter@9.4.0"}],"aliases":["CVE-2026-29112","GHSA-v3r3-4qgc-vw66"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3bdu-mxdu-uqf1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77675?format=json","vulnerability_id":"VCID-fe92-sddw-afcn","summary":"DiceBear is an avatar library for designers and developers. Prior to version 9.4.2, the `ensureSize()` function in `@dicebear/converter` used a regex-based approach to rewrite SVG `width`/`height` attributes, capping them at 2048px to prevent denial of service. This size capping could be bypassed by crafting SVG input that causes the regex to match a non-functional occurrence of `<svg` before the actual SVG root element. When the SVG is subsequently rendered via `@resvg/resvg-js` on the Node.js code path, it renders at the attacker-specified dimensions, potentially causing out-of-memory crashes. In version 9.4.2, the regex-based approach has been replaced with XML-aware processing using `fast-xml-parser` to correctly identify and modify the SVG root element's attributes. Additionally, a `fitTo` constraint has been added to the `renderAsync` call as defense-in-depth, ensuring the rendered output is always bounded regardless of SVG content.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33418","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.062","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33418"},{"reference_url":"https://github.com/dicebear/dicebear","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dicebear/dicebear"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33418","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33418"},{"reference_url":"https://github.com/advisories/GHSA-7j2x-32w6-p43p","reference_id":"GHSA-7j2x-32w6-p43p","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7j2x-32w6-p43p"},{"reference_url":"https://github.com/dicebear/dicebear/security/advisories/GHSA-7j2x-32w6-p43p","reference_id":"GHSA-7j2x-32w6-p43p","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T14:10:31Z/"}],"url":"https://github.com/dicebear/dicebear/security/advisories/GHSA-7j2x-32w6-p43p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374980?format=json","purl":"pkg:npm/%40dicebear/converter@9.4.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540dicebear/converter@9.4.2"}],"aliases":["CVE-2026-33418","GHSA-7j2x-32w6-p43p"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fe92-sddw-afcn"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540dicebear/converter@5.0.0-beta.3"}