devalue affected by CPU and memory amplification from sparse arrays

Description

Under certain circumstances, serializing sparse arrays using uneval or stringify could cause CPU and/or memory exhaustion. When this occurs on the server, it results in a DoS.

Recommendation

Update the devalue package to the latest compatible version. Followings are version details:

• Affected version(s): <= 5.6.2
• Patched version(s): 5.6.3

References

• GHSA-33hq-fvwr-56pm
• CWE-770

Related Issues

• @sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sve - CVE-2026-22803
• devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse - CVE-2026-22775
• CPU exhaustion in SvelteKit remote form deserialization (experimental only) - Vulnerability
• Memory exhaustion in SvelteKit remote form deserialization (experimental only) - Vulnerability

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

devalue