DiceBear Avatar Library Denial-of-Service Vulnerability via Crafted SVG Dimensions

A denial-of-service vulnerability has been identified in the DiceBear avatar library, specifically in the @dicebear/converter package, prior to version 9.4.0. The issue arises in the ensureSize() function, which previously used the width and height attributes of input SVGs to determine the output canvas size for rasterization. An attacker could exploit this by supplying a SVG with excessively large dimensions, causing the server to allocate excessive memory and leading to a denial-of-service condition. This vulnerability primarily affects server-side applications that process untrusted or user-supplied SVGs with the converter's image output functions. While applications that only convert self-generated DiceBear avatars are not practically exploitable, they are still advised to upgrade.

Impact

Exploitation of this vulnerability can lead to uncontrolled memory allocation, causing a denial-of-service condition on the server.

Reproduction

The vulnerability can be reproduced by using the @dicebear/converter package version prior to 9.4.0 and passing an SVG file with extremely large width and height attributes to the converter's image output functions. This can be done by either directly manipulating the SVG file or by using a tool or script that generates such an SVG. Once the SVG is processed by the converter, the server will begin to allocate excessive memory, leading to a denial-of-service condition.

Remediation

Users are advised to upgrade to @dicebear/converter version 9.4.0 or later, where this vulnerability has been fixed. If an immediate upgrade is not possible, validate and sanitize the width and height attributes of any untrusted SVG input before passing it to the converter.