Skip to content

[Security] Update svgo dependency to fix nth-check vulnerability (CVE-2021-3803) in @svgr/plugin-svgo #1014

New issue
New issue
Open
Open
[Security] Update svgo dependency to fix nth-check vulnerability (CVE-2021-3803) in @svgr/plugin-svgo#1014
@tejashrisawant-eaton

Description

@tejashrisawant-eaton
tejashrisawant-eaton
opened on Sep 29, 2025

🐛 Bug Report

The current version of @svgr/plugin-svgo@5.5.0 depends on an outdated version of svgo@^1.2.2, which creates a dependency chain that includes the vulnerable nth-check@1.0.2 package. This vulnerability (CVE-2021-3803) has a CVSS score of 7.5 (High Severity) and affects all Create React App projects and any project using SVGR with SVGO optimization.

Vulnerability Details:

  • CVE: CVE-2021-3803
  • Type: Inefficient Regular Expression Complexity (ReDoS)
  • CVSS Score: 7.5 (High Severity)
  • Affected Package: nth-check@1.0.2 (transitive dependency)
  • Fixed In: nth-check@2.0.1+

To Reproduce

Steps to reproduce the behavior:

  1. Create a new Create React App project: npx create-react-app test-svgr-vulnerability
  2. cd test-svgr-vulnerability
  3. Run npm ls nth-check to see the vulnerable dependency
  4. Run npm audit to see the security vulnerability
  5. Check BlackDuck, Snyk, or other security scanning tools - they will flag this vulnerability

Current Dependency Chain:
react-scripts@5.0.1 ├── @svgr/webpack@5.5.0 ├── @svgr/plugin-svgo@5.5.0 ├── svgo@1.2.2 (outdated - released 2019) ├── css-select@2.1.0 ├── nth-check@1.0.2 (VULNERABLE ❌)

Expected behavior

The @svgr/plugin-svgo package should use a modern version of svgo (v2.x or v3.x) that depends on css-select@4.x or css-select@5.x, which in turn depends on the fixed nth-check@2.x versions.

Proposed Fix:
Update packages/plugin-svgo/package.json:

{
  "dependencies": {
    "svgo": "^2.0.0"  // or "^3.0.0"
  }
}

Expected Fixed Chain:
@svgr/plugin-svgo@6.x.x
├── svgo@2.x.x (or 3.x.x)
├── css-select@4.x.x (or 5.x.x)
├── nth-check@2.1.1+ (SECURE ✅)

Link to repl or repo (highly encouraged)

The issue can be reproduced in any project using Create React App or SVGR:

Minimal Reproduction:
npx create-react-app test-svgr-vulnerability
cd test-svgr-vulnerability
npm ls nth-check # Shows vulnerable nth-check@1.0.2
npm audit # Shows CVE-2021-3803

Run npx envinfo --system --binaries --npmPackages @svgr/core,@svgr/cli,@svgr/webpack,@svgr/rollup --markdown --clipboard

## System:
 - OS: macOS 14.x
 - CPU: (8) arm64 Apple M1
 - Memory: 16.00 GB / 16.00 GB
 - Shell: /bin/zsh

## Binaries:
 - Node: 18.17.0 - ~/.nvm/versions/node/v18.17.0/bin/node
 - npm: 9.6.7 - ~/.nvm/versions/node/v18.17.0/bin/npm

## npmPackages:
 - @svgr/webpack: ^5.5.0 (via react-scripts@5.0.1)
 - react-scripts: ^5.0.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions