Svelte devalue Denial-of-Service Vulnerability Due to Unvalidated ArrayBuffer Input

A denial-of-service vulnerability has been identified in the Svelte devalue library, versions 5.1.0 through 5.6.1. The issue arises in the `devalue.parse` function, which can be exploited by certain inputs that lead to excessive CPU or memory usage. This vulnerability is particularly concerning for applications that parse data from untrusted sources. The root cause lies in the `ArrayBuffer` hydration process, which assumes base64-encoded strings without proper validation before decoding. As a result, specially crafted inputs can cause significant resource exhaustion, leading to potential service disruptions.

Impact

Exploitation of this vulnerability can cause severe memory and CPU exhaustion, leading to a denial-of-service condition on the affected system.

Reproduction

To reproduce this vulnerability, use Svelte devalue versions 5.1.0 to 5.6.1 and supply `devalue.parse` with crafted data that includes invalid `ArrayBuffer` encodings or base64 strings. The parser will then consume excessive CPU and memory resources, causing a denial-of-service effect.

Remediation

Users should upgrade to Svelte devalue version 5.6.2 or later, where this vulnerability has been patched.