devalue affected by CPU and memory amplification from sparse arrays

GHSA-33hq-fvwr-56pm

Published Feb 19, 2026 · Modified Feb 22, 2026

Description

Under certain circumstances, serializing sparse arrays using uneval or stringify could cause CPU and/or memory exhaustion. When this occurs on the server, it results in a DoS. This is extremely difficult to take advantage of in practice, as an attacker would have to manage to create a sparse array on the server — which is impossible in every mainstream wire format — and then that sparse array would have to be run through uneval or stringify.

References

WEB https://github.com/sveltejs/devalue/security/advisories/GHSA-33hq-fvwr-56pm
WEB https://github.com/sveltejs/devalue/commit/819f1ac7475ab37547645cfb09bf2f678a799cf0
PACKAGE https://github.com/sveltejs/devalue
WEB https://github.com/sveltejs/devalue/releases/tag/v5.6.3

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes