GHSA-33hq-fvwr-56pm: devalue affected by CPU and memory amplification from sparse arrays

February 19, 2026

Under certain circumstances, serializing sparse arrays using uneval or stringify could cause CPU and/or memory exhaustion. When this occurs on the server, it results in a DoS. This is extremely difficult to take advantage of in practice, as an attacker would have to manage to create a sparse array on the server — which is impossible in every mainstream wire format — and then that sparse array would have to be run through uneval or stringify.

References

github.com/advisories/GHSA-33hq-fvwr-56pm
github.com/sveltejs/devalue
github.com/sveltejs/devalue/commit/819f1ac7475ab37547645cfb09bf2f678a799cf0
github.com/sveltejs/devalue/releases/tag/v5.6.3
github.com/sveltejs/devalue/security/advisories/GHSA-33hq-fvwr-56pm

Code Behaviors & Features

Detect and mitigate GHSA-33hq-fvwr-56pm with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →