DiceBear avatar library versions prior to 9.4.0 contain a vulnerability in the ensureSize() function of @dicebear/converter that allows attackers to cause denial of service through memory exhaustion. The vulnerability occurs when processing untrusted SVG files with extremely large dimensions, forcing excessive memory allocation during rasterization. Server-side applications using converter functions toPng(), toJpeg(), toWebp(), or toAvif() with user-supplied SVGs are at risk. The issue is fixed in version 9.4.0 by implementing size limits and validation controls.