DiceBear Avatar Library SVG Injection Vulnerability Allowing Cross-Site Scripting

A vulnerability in the DiceBear avatar library, affecting versions 5.0.0 prior to 5.4.4, 6.0.0 prior to 6.1.4, 7.0.0 prior to 7.1.4, 8.0.0 prior to 8.0.3, and 9.0.0 prior to 9.4.1, allows for Cross-Site Scripting (XSS) attacks. The issue arises because SVG attribute values derived from user-supplied options, such as backgroundColor, fontFamily, and textColor, were not properly escaped before being interpolated into SVG output. This vulnerability can be exploited when applications pass untrusted input to the createAvatar() function and serve the resulting SVG inline or with a Content-Type of image/svg+xml. However, applications that validate input against the library's JSON Schema before using createAvatar() are not affected. The DiceBear CLI, which also validates input, was not vulnerable.

Impact

Exploitation of this vulnerability could lead to Cross-Site Scripting (XSS) attacks, allowing an attacker to inject malicious scripts that could be executed in the context of the user's browser.

Remediation

Users should upgrade to DiceBear versions 5.4.4, 6.1.4, 7.1.4, 8.0.3, or 9.4.1, where the vulnerability has been patched. For applications using the DiceBear CLI, no action is needed as it was not vulnerable.