Svelte devalue Excessive Memory Allocation Vulnerability in Sparse Array Deserialization

A denial-of-service vulnerability has been identified in the Svelte devalue library, specifically in versions 5.6.3 prior to 5.8.1. The issue arises in the `devalue.parse` function, where certain JavaScript engine quirks can be exploited to cause excessive memory consumption. This happens when the parser deserializes sparse arrays, leading to arbitrary memory allocation. The vulnerability has been patched in version 5.8.1.

Impact

Exploitation of this vulnerability could cause the host process to allocate large amounts of memory, potentially leading to a crash.

Reproduction

The vulnerability can be reproduced by using the `devalue.parse` function to deserialize a sparse array payload that claims a large length but contains little actual data. This can be done by crafting a payload that takes advantage of the sparse array encoding, which is represented as an array starting with a specific marker followed by the length and indexed values. Such a payload can be built programmatically and then parsed with the `devalue.parse` function.

Remediation

Users can upgrade to Svelte devalue version 5.8.1 to address this vulnerability.