SVGO (SVG Optimizer), a Node.js library and command-line application for optimizing SVG files, contains a vulnerability in multiple version ranges that allows XML entity expansion attacks. The vulnerability affects versions 2.1.0 to before 2.8.1, 3.0.0 to before 3.3.3, and before 4.0.1. SVGO accepts XML with custom entities without proper guards against entity expansion or recursion, which can cause denial of service. An attacker can exploit this with a small XML file (811 bytes) to stall the application and crash the Node.js process with a JavaScript heap out of memory error. The issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.