SVGO XML Parser Vulnerability (CVE-2026-29074): Small File Can Crash Node.js Processes

A critical vulnerability in the popular SVG optimization tool SVGO allows a maliciously crafted, tiny XML file to crash applications and exhaust Node.js memory. The flaw, tracked as CVE-2026-29074, stems from the tool's underlying XML parser accepting custom entities without proper safeguards against entity expansion or recursion. An attacker can exploit this by submitting an SVG file as small as 811 bytes, causing the SVGO process to stall and potentially terminate with a fatal 'JavaScript heap out of memory' error.

The vulnerability resides in how SVGO, a dependency used by thousands of web development projects for compressing SVG files, processes XML input. The upstream 'sax' XML parser library fails to guard against recursive entity definitions. When SVGO encounters an SVG containing these recursive entities, it attempts to expand them indefinitely, consuming all available memory and crashing the Node.js process. This presents a direct denial-of-service (DoS) vector that is trivial to trigger.

This security update pressures all developers and organizations using SVGO to immediately upgrade to version 3.3.3. The risk is particularly acute for web services, CI/CD pipelines, or any backend system that processes user-uploaded SVG files automatically. Failure to patch leaves applications vulnerable to being taken offline by a simple, small payload. The fix involves updating the dependency, as highlighted in automated pull requests from tools like RenovateBot, to incorporate the patched version of the sax parser.