DiceBear Avatar Library @dicebear/converter SVG Dimension Capping Bypass Vulnerability

A denial-of-service vulnerability has been identified in the DiceBear avatar library, specifically in the @dicebear/converter package, prior to version 9.4.2. The issue arises in the ensureSize() function, which originally employed a regex-based method to adjust SVG width and height attributes, limiting them to 2048 pixels to avert denial-of-service conditions. However, this restriction could be circumvented by creating SVG input that tricks the regex into matching a non-functional instance of '<svg' before the actual root element. When the SVG is rendered using @resvg/resvg-js' on the Node.js path, it adheres to the dimensions specified by the attacker, potentially leading to out-of-memory crashes. In version 9.4.2, the library updated its approach to use XML-aware processing with fast-xml-parser, allowing for accurate identification and modification of SVG attributes, and added a fitTo constraint in the rendering process to ensure output is always within safe limits.

Impact

Exploiting this vulnerability can cause applications to experience excessive memory consumption, leading to out-of-memory crashes. This behavior can be observed when untrusted or user-supplied SVG content is processed through @dicebear/converter's Node.js conversion functions, such as toPng, toJpeg, toWebp, and toAvif. It's important to note that this vulnerability is not present in the browser code path, which uses the clamped size return value from ensureSize() to set canvas dimensions directly.

Remediation

Users can upgrade to @dicebear/converter version 9.4.2 or later, where this vulnerability has been addressed. Instructions for updating can be found on the DiceBear GitHub repository.