DiceBear is an avatar library for designers and developers. Prior to version 9.4.0, the `ensureSize()` function in `@dicebear/converter` read the `width` and `h…

CVE-2026-29112 affects DiceBear avatar library versions prior to 9.4.0. The vulnerability exists in the ensureSize() function of @dicebear/converter which reads SVG width and height attributes to determine canvas size for rasterization. Attackers can supply crafted SVGs with extremely large dimensions to force excessive memory allocation, leading to denial of service. The issue primarily affects server-side applications processing untrusted SVG input through converter functions like toPng(), toJpeg(), toWebp(), or toAvif(). Version 9.4.0 fixes the issue by implementing a size option with default 512 and maximum 2048 dimensions instead of reading SVG attributes.