<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>@Dicebear/Converter - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/@dicebear/converter/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/@dicebear/converter/feed.xml" rel="self" type="application/rss+xml"/><item><title>DiceBear SVG Size Capping Bypass Leads to Denial of Service</title><link>https://feed.craftedsignal.io/briefs/2024-01-dicebear-dos/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-dicebear-dos/</guid><description>A denial-of-service vulnerability exists in DiceBear versions prior to 9.4.2 due to a bypassable regex in the `ensureSize()` function, allowing attackers to craft SVGs that cause out-of-memory crashes during rendering on Node.js.</description><content:encoded><![CDATA[<p>DiceBear is an avatar library used by designers and developers. Prior to version 9.4.2, a vulnerability exists in the <code>@dicebear/converter</code> package related to how SVG <code>width</code> and <code>height</code> attributes are handled. The <code>ensureSize()</code> function, intended to cap SVG dimensions at 2048px to prevent denial-of-service attacks, employed a regex-based approach. This approach could be circumvented by crafting malicious SVG input that tricks the regex into matching a non-functional <code>&lt;svg</code> tag before the actual root element. The subsequent rendering process, which leverages <code>@resvg/resvg-js</code> on Node.js, then renders the SVG at the attacker-specified dimensions, potentially consuming excessive memory and leading to out-of-memory crashes, effectively causing a denial of service. Version 9.4.2 addresses this vulnerability by replacing the regex-based approach with XML-aware processing and adding a <code>fitTo</code> constraint as defense-in-depth.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious SVG file with oversized dimensions, designed to exploit the regex bypass. The SVG contains a decoy <code>&lt;svg</code> tag before the real root element.</li>
<li>The attacker delivers the malicious SVG file to a system utilizing a vulnerable version of DiceBear (prior to 9.4.2). This could be through a file upload mechanism, API endpoint, or other data ingestion method.</li>
<li>The vulnerable <code>ensureSize()</code> function in <code>@dicebear/converter</code> processes the SVG file. The regex incorrectly identifies the decoy <code>&lt;svg</code> tag and fails to properly cap the dimensions.</li>
<li>The oversized SVG is passed to <code>@resvg/resvg-js</code> for rendering.</li>
<li><code>@resvg/resvg-js</code> attempts to render the SVG at the attacker-specified, oversized dimensions.</li>
<li>The rendering process consumes excessive memory, potentially exhausting available resources.</li>
<li>The Node.js process running the DiceBear library crashes due to an out-of-memory error.</li>
<li>The application relying on DiceBear becomes unavailable, resulting in a denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability can lead to a denial of service (DoS) condition, rendering applications that rely on the DiceBear library unavailable. The impact is particularly relevant for services that process user-supplied SVG avatars or images, as malicious users could trigger the vulnerability remotely. While the precise number of affected systems is unknown, any application using DiceBear prior to version 9.4.2 is potentially vulnerable. The CVSS v3.1 score is 7.5, indicating a high potential for disruption.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade DiceBear to version 9.4.2 or later to incorporate the fix for CVE-2026-33418.</li>
<li>Monitor web server logs for unusual patterns in SVG file uploads or processing, looking for requests with extremely large specified dimensions.</li>
<li>Implement resource limits on processes that handle SVG rendering to mitigate the impact of potential memory exhaustion attacks.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>dos</category><category>svg</category><category>vulnerability</category></item></channel></rss>