Cyber Posture

CVE-2026-29112

High

Published: 18 March 2026

Published
18 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 18.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29112 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Dicebear Dicebear. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-6 (Resource Availability) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of untrusted SVG inputs, including width and height attributes, to prevent processing of maliciously large dimensions causing memory exhaustion.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of known flaws by upgrading the DiceBear library to version 9.4.0, which ignores SVG dimensions and enforces a maximum size limit.

SC-6 Resource Availability good match
prevent

Enforces resource allocation limits and monitoring to protect against unauthorized memory consumption from crafted SVG rasterization requests.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

The CVE describes remote exploitation of a server-side SVG processing function (ensureSize) via untrusted input, directly causing application resource exhaustion (memory allocation) and DoS impact with no code execution or access gained.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

DiceBear is an avatar library for designers and developers. Prior to version 9.4.0, the `ensureSize()` function in `@dicebear/converter` read the `width` and `height` attributes from the input SVG to determine the output canvas size for rasterization (PNG, JPEG, WebP, AVIF).…

more

An attacker who can supply a crafted SVG with extremely large dimensions (e.g. `width="999999999"`) could force the server to allocate excessive memory, leading to denial of service. This primarily affects server-side applications that pass untrusted or user-supplied SVGs to the converter's `toPng()`, `toJpeg()`, `toWebp()`, or `toAvif()` functions. Applications that only convert self-generated DiceBear avatars are not practically exploitable, but are still recommended to upgrade. This is fixed in version 9.4.0. The `ensureSize()` function no longer reads SVG attributes to determine output size. Instead, a new `size` option (default: 512, max: 2048) controls the output dimensions. Invalid values (NaN, negative, zero, Infinity) fall back to the default. If upgrading is not immediately possible, validate and sanitize the `width` and `height` attributes of any untrusted SVG input before passing it to the converter.

Deeper analysisAI

CVE-2026-29112 is a denial-of-service vulnerability in the DiceBear avatar library, specifically affecting the `@dicebear/converter` package prior to version 9.4.0. The `ensureSize()` function reads the `width` and `height` attributes from input SVGs to set the output canvas size during rasterization to formats like PNG, JPEG, WebP, or AVIF. A crafted SVG with extremely large dimensions, such as `width="999999999"`, triggers excessive memory allocation on the server, leading to resource exhaustion. This issue primarily impacts server-side applications that process untrusted or user-supplied SVGs via the converter's `toPng()`, `toJpeg()`, `toWebp()`, or `toAvif()` functions, while applications limited to self-generated DiceBear avatars face low practical risk.

An unauthenticated attacker (AV:N/AC:L/PR:N) with network access can exploit this by submitting a malicious SVG, causing high availability impact (A:H) with a CVSS v3.1 base score of 7.5 (C:N/I:N/S:U). Successful exploitation results in server memory exhaustion and potential denial of service, mapped to CWE-770 (Allocation of Resources Without Limits or Throttling). No user interaction is required, making it suitable for remote attacks against vulnerable endpoints.

The security advisory (GHSA-v3r3-4qgc-vw66) and release notes for v9.4.0 recommend upgrading to version 9.4.0, where `ensureSize()` ignores SVG attributes and uses a new `size` option (default: 512, maximum: 2048) for output dimensions, with invalid values (NaN, negative, zero, Infinity) falling back to the default. As a workaround, applications should validate and sanitize `width` and `height` attributes on untrusted SVGs before passing them to the converter, as detailed in the fixing commit (42a59eac46a3c68598859e608ec45e578b27614a).

Details

CWE(s)
CWE-770

Affected Products

dicebear
dicebear
≤ 9.4.0

CVEs Like This One

CVE-2026-33418Same product: Dicebear Dicebear
CVE-2026-33256Shared CWE-770
CVE-2026-26313Shared CWE-770
CVE-2025-27219Shared CWE-770
CVE-2026-24458Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2026-34513Shared CWE-770
CVE-2026-5438Shared CWE-770
CVE-2025-21521Shared CWE-770

References