Skip to content

[Security] Update svgo dependency to fix nth-check vulnerability (CVE-2021-3803) in @svgr/plugin-svgoΒ #1014

Open
Open
[Security] Update svgo dependency to fix nth-check vulnerability (CVE-2021-3803) in @svgr/plugin-svgo#1014
@tejashrisawant-eaton

Description

@tejashrisawant-eaton
tejashrisawant-eaton
opened on Sep 29, 2025

πŸ› Bug Report

The current version of @svgr/[email protected] depends on an outdated version of svgo@^1.2.2, which creates a dependency chain that includes the vulnerable [email protected] package. This vulnerability (CVE-2021-3803) has a CVSS score of 7.5 (High Severity) and affects all Create React App projects and any project using SVGR with SVGO optimization.

Vulnerability Details:

To Reproduce

Steps to reproduce the behavior:

  1. Create a new Create React App project: npx create-react-app test-svgr-vulnerability
  2. cd test-svgr-vulnerability
  3. Run npm ls nth-check to see the vulnerable dependency
  4. Run npm audit to see the security vulnerability
  5. Check BlackDuck, Snyk, or other security scanning tools - they will flag this vulnerability

Current Dependency Chain:
[email protected] β”œβ”€β”€ @svgr/[email protected] β”œβ”€β”€ @svgr/[email protected] β”œβ”€β”€ [email protected] (outdated - released 2019) β”œβ”€β”€ [email protected] β”œβ”€β”€ [email protected] (VULNERABLE ❌)

Expected behavior

The @svgr/plugin-svgo package should use a modern version of svgo (v2.x or v3.x) that depends on [email protected] or [email protected], which in turn depends on the fixed [email protected] versions.

Proposed Fix:
Update packages/plugin-svgo/package.json:

{
  "dependencies": {
    "svgo": "^2.0.0"  // or "^3.0.0"
  }
}

Expected Fixed Chain:
@svgr/[email protected]
β”œβ”€β”€ [email protected] (or 3.x.x)
β”œβ”€β”€ [email protected] (or 5.x.x)
β”œβ”€β”€ [email protected]+ (SECURE βœ…)

Link to repl or repo (highly encouraged)

The issue can be reproduced in any project using Create React App or SVGR:

Minimal Reproduction:
npx create-react-app test-svgr-vulnerability
cd test-svgr-vulnerability
npm ls nth-check # Shows vulnerable [email protected]
npm audit # Shows CVE-2021-3803

Run npx envinfo --system --binaries --npmPackages @svgr/core,@svgr/cli,@svgr/webpack,@svgr/rollup --markdown --clipboard

## System:
 - OS: macOS 14.x
 - CPU: (8) arm64 Apple M1
 - Memory: 16.00 GB / 16.00 GB
 - Shell: /bin/zsh

## Binaries:
 - Node: 18.17.0 - ~/.nvm/versions/node/v18.17.0/bin/node
 - npm: 9.6.7 - ~/.nvm/versions/node/v18.17.0/bin/npm

## npmPackages:
 - @svgr/webpack: ^5.5.0 (via [email protected])
 - react-scripts: ^5.0.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions