The vulnerability CVE-2026-29074 in SVGO (SVG Optimizer) stems from CWE-776: Improper Restriction of Recursive Entity References in XML DTDs. SVGO versions 2.1.0 through 2.8.0, 3.0.0 through 3.3.2, and 4.0.0 accept SVG files containing XML with custom entity definitions without adequate safeguards against recursive or excessive entity expansion. This flaw enables an attacker to craft a malicious SVG file embedding recursive XML entities that cause exponential entity expansion during parsing. When SVGO processes such a file, it can lead to excessive memory consumption, resulting in the Node.js process crashing due to JavaScript heap out of memory errors or the application becoming unresponsive. The issue is a denial-of-service (DoS) vulnerability impacting availability but does not compromise confidentiality or integrity. The vulnerability is remotely exploitable without requiring authentication or user interaction, making it particularly dangerous in automated environments where untrusted SVG files are processed. The vulnerability was assigned a CVSS v3.1 base score of 7.5 (high severity), reflecting its network attack vector, no required privileges or user interaction, and high impact on availability. The issue has been addressed in SVGO versions 2.8.1, 3.3.3, and 4.0.1 by implementing proper restrictions on entity expansion to prevent recursive or excessive resource consumption during XML parsing.

Organizations using SVGO for automated SVG optimization, especially in web development, CI/CD pipelines, or content management systems, are at risk of denial-of-service attacks. An attacker can supply a malicious SVG file that triggers excessive memory consumption, causing the Node.js process to crash or stall. This can lead to service outages, degraded performance, or disruption of automated workflows that rely on SVG processing. Since SVGO is widely used in frontend build processes and graphic asset pipelines, the impact can cascade to web applications, developer productivity, and continuous integration systems. The vulnerability does not expose sensitive data or allow code execution, but the availability impact can be severe, especially in high-throughput or public-facing environments. Additionally, the ease of exploitation without authentication increases the risk of automated attacks. Organizations that integrate SVGO into backend services or accept user-uploaded SVG files without validation are particularly vulnerable.

1. Upgrade SVGO to the patched versions 2.8.1, 3.3.3, or 4.0.1 immediately to ensure the vulnerability is fixed. 2. Implement input validation and sanitization to reject SVG files containing DTDs or custom XML entities before processing. 3. Use XML parsers or libraries that enforce strict limits on entity expansion and recursion to prevent resource exhaustion. 4. Employ runtime resource limits (memory and CPU) on processes handling SVG optimization to contain potential DoS impacts. 5. If upgrading is not immediately possible, consider disabling SVG optimization or processing untrusted SVG files in isolated environments or sandboxes. 6. Monitor application logs and system metrics for signs of memory exhaustion or crashes related to SVG processing. 7. Educate developers and DevOps teams about the risks of processing untrusted XML content and the importance of patching dependencies promptly.