Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Uncontrolled Memory Allocation in DiceBear Converter
GHSA-v3r3-4qgc-vw66
CVE-2026-29112
Summary
The DiceBear Converter, used to generate avatars, can be forced to use up too much memory if it's given an SVG with very large width or height values. This can cause a server to become unresponsive. If you use the Converter, make sure to update to version 9.4.0 or later, or validate and sanitize user-supplied SVGs to prevent this issue.
What to do
- Update dicebear converter to version 9.4.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| dicebear | converter | <= 9.4.0 | 9.4.0 |
Original title
Uncontrolled memory allocation via crafted SVG dimensions in @dicebear/converter
Original description
### Impact
The `ensureSize()` function in `@dicebear/converter` (versions < 9.4.0) read the `width` and `height` attributes from the input SVG to determine the output canvas size for rasterization (PNG, JPEG, WebP, AVIF). An attacker who can supply a crafted SVG with extremely large dimensions (e.g. `width="999999999"`) could force the server to allocate excessive memory, leading to denial of service.
This primarily affects server-side applications that pass **untrusted or user-supplied SVGs** to the converter's `toPng()`, `toJpeg()`, `toWebp()`, or `toAvif()` functions. Applications that only convert self-generated DiceBear avatars are not practically exploitable, but are still recommended to upgrade.
### Patches
Fixed in version **9.4.0**. The `ensureSize()` function no longer reads SVG attributes to determine output size. Instead, a new `size` option (default: 512, max: 2048) controls the output dimensions. Invalid values (NaN, negative, zero, Infinity) fall back to the default.
### Workarounds
If upgrading is not immediately possible, validate and sanitize the `width` and `height` attributes of any untrusted SVG input before passing it to the converter.
The `ensureSize()` function in `@dicebear/converter` (versions < 9.4.0) read the `width` and `height` attributes from the input SVG to determine the output canvas size for rasterization (PNG, JPEG, WebP, AVIF). An attacker who can supply a crafted SVG with extremely large dimensions (e.g. `width="999999999"`) could force the server to allocate excessive memory, leading to denial of service.
This primarily affects server-side applications that pass **untrusted or user-supplied SVGs** to the converter's `toPng()`, `toJpeg()`, `toWebp()`, or `toAvif()` functions. Applications that only convert self-generated DiceBear avatars are not practically exploitable, but are still recommended to upgrade.
### Patches
Fixed in version **9.4.0**. The `ensureSize()` function no longer reads SVG attributes to determine output size. Instead, a new `size` option (default: 512, max: 2048) controls the output dimensions. Invalid values (NaN, negative, zero, Infinity) fall back to the default.
### Workarounds
If upgrading is not immediately possible, validate and sanitize the `width` and `height` attributes of any untrusted SVG input before passing it to the converter.
ghsa CVSS3.1
7.5
Vulnerability type
CWE-770
Allocation of Resources Without Limits
Published: 16 Mar 2026 · Updated: 16 Mar 2026 · First seen: 16 Mar 2026