Svelte devalue Denial-of-Service Vulnerability Due to Improper Input Validation in Typed Array Hydration

A denial-of-service vulnerability has been identified in the Svelte devalue library, specifically in versions 5.3.0 prior to 5.6.1. The issue arises in the `devalue.parse` function, which can be exploited by certain inputs to consume excessive CPU time and memory. This vulnerability is particularly concerning for applications that parse data from untrusted sources. The root cause lies in the typed array hydration process, which expects an ArrayBuffer as input but fails to validate this assumption before creating the typed array. As a result, specially crafted inputs can lead to disproportionate resource consumption, causing denial-of-service conditions.

Impact

Exploitation of this vulnerability can lead to significant memory exhaustion or CPU overload, causing denial-of-service conditions on the affected system.

Reproduction

The vulnerability can be reproduced by using `devalue.parse` with externally-supplied data that includes typed arrays with non-ArrayBuffer inputs. This can be done by crafting a JSON string that represents a typed array, such as 'Int8Array', and includes an invalid input type, like a number or an object, instead of a proper ArrayBuffer. When this crafted input is parsed, it will trigger the vulnerability by causing excessive resource consumption.

Remediation

Users are advised to upgrade to Svelte devalue version 5.6.2 or later, where this vulnerability has been patched.