Context Navigation

← Previous Ticket
Next Ticket →

#64833 closed defect (bug) (duplicate)

Bundled Themes: Update svgo transitive dependency

Reported by:	aakashverma1	Owned by:
Milestone:		Priority:	normal
Severity:	normal	Version:	6.9
Component:	Bundled Theme	Keywords:
Focuses:		Cc:

Description

Summary

The package-lock.json file introduced to the Twenty Twenty-Five theme in [60934]
locks svgo at version 4.0.0 as a transitive dependency via cssnano 7.1.1 > postcss-svgo > svgo.

svgo 4.0.0 is affected by CVE-2026-29074 (GHSA-xpqw-6gx7-v673), a HIGH severity
Denial of Service vulnerability published on March 6, 2026.

Vulnerability Details

CVE: CVE-2026-29074
GHSA: https://github.com/advisories/GHSA-xpqw-6gx7-v673
CVSS score: 7.5 (HIGH) — AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-776 (Improper Restriction of Recursive Entity References in DTDs — 'XML Entity Expansion')

SVGO accepts XML with custom entities without guards against entity expansion or
recursion. A crafted SVG file of only 811 bytes can stall the application or crash
the Node.js process with "JavaScript heap out of memory" (Billion Laughs attack).

Affected Dependency Chain

cssnano 7.1.1 → postcss-svgo → svgo 4.0.0 (vulnerable)

Located in:

src/wp-content/themes/twentytwentyfive/package-lock.json

Impact on WordPress

This dependency is build-time only (used by npm run build to minify style.css
into style.min.css). It is NOT executed at runtime on WordPress servers and does
NOT affect end users of live WordPress sites. There is no exploit surface in a
production WordPress deployment.

The risk applies if a developer or CI/CD pipeline runs npm install + npm run build
inside the theme directory while processing untrusted SVG input — which is not a
standard workflow.

Fix

Bump svgo from 4.0.0 to 4.0.1 in package-lock.json. The fix in svgo 4.0.1
sets the minimum version of the sax XML parser to v1.5.0, which adds guards against entity expansion by default.

Change History (3)

#1 @sabernhardt
5 weeks ago

Summary changed from Bundled Themes: Update svgo transitive dependency in Twenty Twenty-Five to fix CVE-2026-29074 (Billion Laughs DoS) to Bundled Themes: Update svgo transitive dependency

When creating a new Trac ticket, the page warned:

"Do not report potential security vulnerabilities here."

The npm dependencies for all themes will have an audit as part of #64230, so this probably does not need its own ticket.

#2 @aakashverma1
5 weeks ago

Thanks for the triage, @sabernhardt, and apologies for the noise!

This is more of a routine package update request than a security report. Since svgo is a build-time dev dependency with no runtime exposure on live WordPress sites, it doesn't warrant its own ticket. I wasn't aware of #64230. Happy to let that ticket cover this instead.

#3 @sabernhardt
5 weeks ago

Milestone Awaiting Review deleted
Resolution set to duplicate
Status changed from new to closed

Duplicate of #64230.

I'll close it then :)

Note: See TracTickets for help on using tickets.

Trac UI Preferences

Download in other formats:

Make WordPress Core