SB20260424109 - Multiple vulnerabilities in devalue
Published: April 24, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: N/A)
CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify data integrity and disclose limited information.
The vulnerability exists due to improper neutralization of special elements in uneval output generation in the uneval feature when evaling code generated from untrusted data. A remote privileged user can supply crafted input that is unevaled and later evaled to modify data integrity and disclose limited information.
Exploitation occurs only under certain circumstances when code produced by uneval is later evaluated, which can cause the output data to have a different shape from the input data.
2) Resource exhaustion (CVE-ID: N/A)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in uneval and stringify when serializing sparse arrays. A remote user can create a sparse array on the server and have it processed to cause a denial of service.
This issue results in denial of service when the affected code is used on the server.
Remediation
Install update from vendor's website.