SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.
Weakness
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Svgo | Svgo | 2.1.0 (including) | 2.8.1 (excluding) |
| Svgo | Svgo | 3.0.0 (including) | 3.3.3 (excluding) |
| Svgo | Svgo | 4.0.0 (including) | 4.0.1 (excluding) |
| Red Hat Ansible Automation Platform 2.5 for RHEL 8 | RedHat | automation-gateway-0:2.5.20260422-2.el8ap | * |
| Red Hat Ansible Automation Platform 2.5 for RHEL 9 | RedHat | automation-gateway-0:2.5.20260422-2.el9ap | * |
| Red Hat Ansible Automation Platform 2.6 for RHEL 9 | RedHat | automation-platform-ui-0:2.6.7-1.el9ap | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.8 | RedHat | advanced-cluster-security/rhacs-main-rhel8:1775594119 | * |
| Red Hat Ansible Automation Platform 2.5 | RedHat | ansible-automation-platform-25/lightspeed-rhel8:1777403872 | * |
| Red Hat Ansible Automation Platform 2.6 | RedHat | ansible-automation-platform-26/lightspeed-rhel9:1777387242 | * |
| Red Hat Ansible Automation Platform 2.6 | RedHat | ansible-automation-platform-26/gateway-rhel9:1774243862 | * |
| Red Hat Ansible Automation Platform 2.6 | RedHat | ansible-automation-platform-26/gateway-rhel9:1774243862 | * |
| Red Hat Developer Hub 1.8 | RedHat | rhdh/rhdh-hub-rhel9:1776784286 | * |
| Red Hat Developer Hub 1.9 | RedHat | rhdh/rhdh-hub-rhel9:1777903262 | * |
| Red Hat OpenShift AI 2.16 | RedHat | rhoai/odh-dashboard-rhel8:1774282136 | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-dashboard-rhel9:1780467029 | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-mod-arch-model-registry-rhel9:1780467147 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-dashboard-rhel9:1779189627 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-mod-arch-gen-ai-rhel9:1778473763 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-mod-arch-model-registry-rhel9:1778666987 | * |
| Red Hat OpenShift Dev Spaces 3.28 | RedHat | devspaces/code-rhel9:1779814592 | * |
| Red Hat OpenShift Service Mesh 2.6 | RedHat | openshift-service-mesh/kiali-rhel8:1776191302 | * |
| Red Hat OpenShift Service Mesh 3.0 | RedHat | openshift-service-mesh/kiali-ossmc-rhel9:1776151124 | * |
| Red Hat OpenShift Service Mesh 3.0 | RedHat | openshift-service-mesh/kiali-rhel9:1776151272 | * |
| Red Hat OpenShift Service Mesh 3.1 | RedHat | openshift-service-mesh/kiali-ossmc-rhel9:1776151106 | * |
| Red Hat OpenShift Service Mesh 3.1 | RedHat | openshift-service-mesh/kiali-rhel9:1776151270 | * |
| Red Hat OpenShift Service Mesh 3.2 | RedHat | openshift-service-mesh/kiali-ossmc-rhel9:1776155669 | * |
| Red Hat OpenShift Service Mesh 3.2 | RedHat | openshift-service-mesh/kiali-rhel9:1776149682 | * |
| Red Hat OpenShift Service Mesh 3.3 | RedHat | openshift-service-mesh/kiali-ossmc-rhel9:1776151134 | * |
| Red Hat OpenShift Service Mesh 3.3 | RedHat | openshift-service-mesh/kiali-rhel9:1776151277 | * |
| Red Hat Quay 3.1 | RedHat | quay/quay-rhel8:1776736910 | * |
| Red Hat Quay 3.12 | RedHat | quay/quay-rhel8:1776752646 | * |
| Red Hat Quay 3.14 | RedHat | quay/quay-rhel8:1779689392 | * |
| Red Hat Quay 3.15 | RedHat | quay/quay-rhel8:1775169219 | * |
| Red Hat Quay 3.16 | RedHat | quay/quay-rhel9:1779204086 | * |
| Red Hat Quay 3.17 | RedHat | quay/quay-rhel9:1779922205 | * |
| Red Hat Quay 3.9 | RedHat | quay/quay-rhel8:1775169218 | * |