[wp-trac] [WordPress Trac] #64833: Bundled Themes: Update svgo transitive dependency in Twenty Twenty-Five to fix CVE-2026-29074 (Billion Laughs DoS)

WordPress Trac noreply at wordpress.org
Mon Mar 9 10:44:02 UTC 2026 

#64833: Bundled Themes: Update svgo transitive dependency in Twenty Twenty-Five to
fix CVE-2026-29074 (Billion Laughs DoS)
---------------------------+-----------------------------
 Reporter:  aakashverma1   |      Owner:  (none)
     Type:  defect (bug)   |     Status:  new
 Priority:  normal         |  Milestone:  Awaiting Review
Component:  Bundled Theme  |    Version:  6.9
 Severity:  normal         |   Keywords:
  Focuses:                 |
---------------------------+-----------------------------
 == Summary ==

 The `package-lock.json` file introduced to the Twenty Twenty-Five theme in
 [60934]
 locks `svgo` at version `4.0.0` as a transitive dependency via `cssnano
 7.1.1 > postcss-svgo > svgo`.

 `svgo 4.0.0` is affected by CVE-2026-29074 (GHSA-xpqw-6gx7-v673), a HIGH
 severity
 Denial of Service vulnerability published on March 6, 2026.

 == Vulnerability Details ==

 * CVE: CVE-2026-29074
 * GHSA: https://github.com/advisories/GHSA-xpqw-6gx7-v673
 * CVSS score: 7.5 (HIGH) — AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 * CWE: CWE-776 (Improper Restriction of Recursive Entity References in
 DTDs — 'XML Entity Expansion')

 SVGO accepts XML with custom entities without guards against entity
 expansion or
 recursion. A crafted SVG file of only 811 bytes can stall the application
 or crash
 the Node.js process with "JavaScript heap out of memory" (Billion Laughs
 attack).

 == Affected Dependency Chain ==

   cssnano 7.1.1 → postcss-svgo → svgo 4.0.0  (vulnerable)

 Located in:
   src/wp-content/themes/twentytwentyfive/package-lock.json

 == Impact on WordPress ==

 This dependency is build-time only (used by `npm run build` to minify
 `style.css`
 into `style.min.css`). It is NOT executed at runtime on WordPress servers
 and does
 NOT affect end users of live WordPress sites. There is no exploit surface
 in a
 production WordPress deployment.

 The risk applies if a developer or CI/CD pipeline runs `npm install` +
 `npm run build`
 inside the theme directory while processing untrusted SVG input — which is
 not a
 standard workflow.

 == Fix ==

 Bump `svgo` from `4.0.0` to `4.0.1` in `package-lock.json`. The fix in
 svgo 4.0.1
 sets the minimum version of the `sax` XML parser to v1.5.0, which adds
 guards against entity expansion by default.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64833>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list