{"url":"http://public2.vulnerablecode.io/api/packages/985394?format=json","purl":"pkg:npm/%40dicebear/converter@8.0.0-rc.1","type":"npm","namespace":"@dicebear","name":"converter","version":"8.0.0-rc.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"9.4.2","latest_non_vulnerable_version":"9.4.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91615?format=json","vulnerability_id":"VCID-4vbx-uu9t-pfgt","summary":"Uncontrolled memory allocation via crafted SVG dimensions in @dicebear/converter\n### Impact\n\nThe `ensureSize()` function in `@dicebear/converter` (versions < 9.4.0) read the `width` and `height` attributes from the input SVG to determine the output canvas size for rasterization (PNG, JPEG, WebP, AVIF). An attacker who can supply a crafted SVG with extremely large dimensions (e.g. `width=\"999999999\"`) could force the server to allocate excessive memory, leading to denial of service.\n\nThis primarily affects server-side applications that pass **untrusted or user-supplied SVGs** to the converter's `toPng()`, `toJpeg()`, `toWebp()`, or `toAvif()` functions. Applications that only convert self-generated DiceBear avatars are not practically exploitable, but are still recommended to upgrade.\n\n### Patches\n\nFixed in version **9.4.0**. The `ensureSize()` function no longer reads SVG attributes to determine output size. Instead, a new `size` option (default: 512, max: 2048) controls the output dimensions. Invalid values (NaN, negative, zero, Infinity) fall back to the default.\n\n### Workarounds\n\nIf upgrading is not immediately possible, validate and sanitize the `width` and `height` attributes of any untrusted SVG input before passing it to the converter.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29112","reference_id":"","reference_type":"","scores":[{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.19743","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.19628","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.19696","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.1974","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29112"},{"reference_url":"https://github.com/dicebear/dicebear","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dicebear/dicebear"},{"reference_url":"https://github.com/dicebear/dicebear/commit/42a59eac46a3c68598859e608ec45e578b27614a","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:43:55Z/"}],"url":"https://github.com/dicebear/dicebear/commit/42a59eac46a3c68598859e608ec45e578b27614a"},{"reference_url":"https://github.com/dicebear/dicebear/releases/tag/v9.4.0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:43:55Z/"}],"url":"https://github.com/dicebear/dicebear/releases/tag/v9.4.0"},{"reference_url":"https://github.com/dicebear/dicebear/security/advisories/GHSA-v3r3-4qgc-vw66","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:43:55Z/"}],"url":"https://github.com/dicebear/dicebear/security/advisories/GHSA-v3r3-4qgc-vw66"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29112","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29112"},{"reference_url":"https://github.com/advisories/GHSA-v3r3-4qgc-vw66","reference_id":"GHSA-v3r3-4qgc-vw66","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v3r3-4qgc-vw66"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/113927?format=json","purl":"pkg:npm/%40dicebear/converter@9.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-p1d8-en9e-zyez"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540dicebear/converter@9.4.0"}],"aliases":["CVE-2026-29112","GHSA-v3r3-4qgc-vw66"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4vbx-uu9t-pfgt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91394?format=json","vulnerability_id":"VCID-p1d8-en9e-zyez","summary":"SVG Dimension Capping Bypass via XML Comment Injection in @dicebear/converter ensureSize()\n## Summary\n\nThe `ensureSize()` function in `@dicebear/converter` used a regex-based approach to rewrite SVG `width`/`height` attributes, capping them at 2048px to prevent denial of service. This size capping could be bypassed by crafting SVG input that causes the regex to match a non-functional occurrence of `<svg` before the actual SVG root element. When the SVG is subsequently rendered via `@resvg/resvg-js` on the Node.js code path, it renders at the attacker-specified dimensions, potentially causing out-of-memory crashes.\n\n## Details\n\nThe vulnerable function used `String.prototype.replace()` with a non-global regex to find and rewrite the first `<svg` tag's dimensions. Since the regex does not distinguish between `<svg` appearing inside non-element XML constructs and the actual SVG root element, a crafted input can cause the regex to match a decoy instead of the real element, leaving the actual SVG dimensions unclamped.\n\nIn the Node.js rendering path, `renderAsync` from `@resvg/resvg-js` was called without a `fitTo` constraint, so it would render at whatever dimensions the SVG element specified — potentially allocating gigabytes of memory.\n\nThe browser code path is **not** vulnerable because it uses the clamped `size` return value from `ensureSize()` to set `canvas.width` and `canvas.height` directly.\n\n## Impact\n\nAny application that passes untrusted or user-supplied SVG content through `@dicebear/converter`'s Node.js conversion functions (`toPng`, `toJpeg`, `toWebp`, `toAvif`) is vulnerable to denial of service via excessive memory allocation. Note that `@dicebear/converter` can be used independently of DiceBear's avatar generation — any SVG string can be passed to the conversion functions.\n\nThe impact is limited to availability — there is no data disclosure or integrity impact. The browser code path is not affected.\n\n## Fix\n\nThe regex-based approach has been replaced with XML-aware processing using `fast-xml-parser` to correctly identify and modify the SVG root element's attributes. Additionally, a `fitTo` constraint has been added to the `renderAsync` call as defense-in-depth, ensuring the rendered output is always bounded regardless of SVG content.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33418","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06185","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06136","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06181","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06197","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33418"},{"reference_url":"https://github.com/dicebear/dicebear","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dicebear/dicebear"},{"reference_url":"https://github.com/dicebear/dicebear/security/advisories/GHSA-7j2x-32w6-p43p","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T14:10:31Z/"}],"url":"https://github.com/dicebear/dicebear/security/advisories/GHSA-7j2x-32w6-p43p"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33418","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33418"},{"reference_url":"https://github.com/advisories/GHSA-7j2x-32w6-p43p","reference_id":"GHSA-7j2x-32w6-p43p","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7j2x-32w6-p43p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/113541?format=json","purl":"pkg:npm/%40dicebear/converter@9.4.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540dicebear/converter@9.4.2"}],"aliases":["CVE-2026-33418","GHSA-7j2x-32w6-p43p"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p1d8-en9e-zyez"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540dicebear/converter@8.0.0-rc.1"}