{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/dicebear/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["DiceBear","@dicebear/converter"],"_cs_severities":["medium"],"_cs_tags":["dos","svg","vulnerability"],"_cs_type":"advisory","_cs_vendors":["DiceBear"],"content_html":"\u003cp\u003eDiceBear is an avatar library used by designers and developers. Prior to version 9.4.2, a vulnerability exists in the \u003ccode\u003e@dicebear/converter\u003c/code\u003e package related to how SVG \u003ccode\u003ewidth\u003c/code\u003e and \u003ccode\u003eheight\u003c/code\u003e attributes are handled. The \u003ccode\u003eensureSize()\u003c/code\u003e function, intended to cap SVG dimensions at 2048px to prevent denial-of-service attacks, employed a regex-based approach. This approach could be circumvented by crafting malicious SVG input that tricks the regex into matching a non-functional \u003ccode\u003e\u0026lt;svg\u003c/code\u003e tag before the actual root element. The subsequent rendering process, which leverages \u003ccode\u003e@resvg/resvg-js\u003c/code\u003e on Node.js, then renders the SVG at the attacker-specified dimensions, potentially consuming excessive memory and leading to out-of-memory crashes, effectively causing a denial of service. Version 9.4.2 addresses this vulnerability by replacing the regex-based approach with XML-aware processing and adding a \u003ccode\u003efitTo\u003c/code\u003e constraint as defense-in-depth.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious SVG file with oversized dimensions, designed to exploit the regex bypass. The SVG contains a decoy \u003ccode\u003e\u0026lt;svg\u003c/code\u003e tag before the real root element.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious SVG file to a system utilizing a vulnerable version of DiceBear (prior to 9.4.2). This could be through a file upload mechanism, API endpoint, or other data ingestion method.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eensureSize()\u003c/code\u003e function in \u003ccode\u003e@dicebear/converter\u003c/code\u003e processes the SVG file. The regex incorrectly identifies the decoy \u003ccode\u003e\u0026lt;svg\u003c/code\u003e tag and fails to properly cap the dimensions.\u003c/li\u003e\n\u003cli\u003eThe oversized SVG is passed to \u003ccode\u003e@resvg/resvg-js\u003c/code\u003e for rendering.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e@resvg/resvg-js\u003c/code\u003e attempts to render the SVG at the attacker-specified, oversized dimensions.\u003c/li\u003e\n\u003cli\u003eThe rendering process consumes excessive memory, potentially exhausting available resources.\u003c/li\u003e\n\u003cli\u003eThe Node.js process running the DiceBear library crashes due to an out-of-memory error.\u003c/li\u003e\n\u003cli\u003eThe application relying on DiceBear becomes unavailable, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a denial of service (DoS) condition, rendering applications that rely on the DiceBear library unavailable. The impact is particularly relevant for services that process user-supplied SVG avatars or images, as malicious users could trigger the vulnerability remotely. While the precise number of affected systems is unknown, any application using DiceBear prior to version 9.4.2 is potentially vulnerable. The CVSS v3.1 score is 7.5, indicating a high potential for disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade DiceBear to version 9.4.2 or later to incorporate the fix for CVE-2026-33418.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual patterns in SVG file uploads or processing, looking for requests with extremely large specified dimensions.\u003c/li\u003e\n\u003cli\u003eImplement resource limits on processes that handle SVG rendering to mitigate the impact of potential memory exhaustion attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-dicebear-dos/","summary":"A denial-of-service vulnerability exists in DiceBear versions prior to 9.4.2 due to a bypassable regex in the `ensureSize()` function, allowing attackers to craft SVGs that cause out-of-memory crashes during rendering on Node.js.","title":"DiceBear SVG Size Capping Bypass Leads to Denial of Service","url":"https://feed.craftedsignal.io/briefs/2024-01-dicebear-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - DiceBear","version":"https://jsonfeed.org/version/1.1"}