Svelte devalue: DoS via sparse array deserialization

devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption.

References

elliott-with-the-longest-name-on-github published to sveltejs/devalue May 14, 2026

Published to the GitHub Advisory Database May 14, 2026

Reviewed May 14, 2026

Last updated May 15, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Weaknesses

Allocation of Resources Without Limits or Throttling

CVE ID

GHSA ID

Source code

Credits

Uh oh!