SVGO v4.0.1 Security Patch: XML Entity Attack Can Crash Node.js Applications

A critical security flaw in the popular SVG optimization tool SVGO exposes thousands of web applications to denial-of-service attacks. The vulnerability, tracked as CVE-2026-29074, allows a maliciously crafted XML file as small as 811 bytes to stall an application and crash the underlying Node.js process with a 'JavaScript heap out of memory' error. This is not a theoretical risk; it's a direct path for attackers to disrupt services by exhausting system memory through a simple SVG upload or processing request.

The root cause lies in SVGO's upstream XML parser, `sax`, which accepts XML containing custom entities without proper safeguards against entity expansion or recursion. When processing such a file, the parser enters an infinite expansion loop, rapidly consuming all available memory until the Node.js process is forcibly terminated. This vulnerability is present in SVGO version 4.0.0 and all prior versions that use the affected parser logic. The issue was addressed in the newly released SVGO v4.0.1, which is now being pushed as a mandatory security update across dependency management systems.

The patch triggers urgent updates for any project relying on `svgo` for image optimization, a common practice in modern web development frameworks and build pipelines. This includes major UI libraries, design systems, and content management platforms that process user-uploaded SVG assets. The silent, resource-exhaustion nature of the attack makes it difficult to detect and mitigate without the update, posing a significant operational risk for high-traffic sites that handle media files. Development teams are under pressure to review their dependency trees and apply the patch before this vector is exploited in the wild.