CVE-2026-29074

SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29074.json",
    "cwe_ids": [
        "CWE-776"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/svg/svgo

Affected ranges

Type

GIT

Repo

https://github.com/svg/svgo

Events

Introduced

355fb1ff24d2b90c0376e8d82230cbad6395907b

Fixed

f706b07a77de1f60a3e2c3f7bfd303529a4eb695

Introduced

a40fa216b67d297e84ab8017bf4b45b4a0001223

Fixed

bbab162534d89654ac51c30dd6e62d7163b48a5e

Introduced

71e1f05a7efdb667ff61df53f621e8f3e48076fc

Fixed

e691f5f85d9ff6c8f3bc75dc5150181d314b7f2d

Database specific

{
    "versions": [
        {
            "introduced": "2.1.0"
        },
        {
            "fixed": "2.8.1"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.3.3"
        },
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.0.1"
        }
    ]
}

Affected versions

v2.*

v2.1.0

v2.2.0

v2.2.1

v2.2.2

v2.3.0

v2.3.1

v2.4.0

v2.5.0

v2.6.0

v2.6.1

v2.7.0

v2.8.0

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.1.0

v3.2.0

v3.3.2

v4.*

v4.0.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-29074.json"