Image scaling: Only allow JPG and PNG
Some image formats like SVGs represent an attack vector for image processing as they might embed malicious code, something we had problems with in the past: #219010 (closed)
Moreover, we haven't sufficiently tested image scaling with less popular image formats such as TIFF or ICO. PNGs and JPGs make up 99% of our current avatar data set, so this is a good and safe place start.
The simplest thing we can do currently is to outright filter those out.
For SVGs specifically, we already reject them from avatar uploads, so no further action needed here:
Edited by Matthias Käppler