SB20260424109 - Multiple vulnerabilities in devalue

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: N/A)

The vulnerability allows a remote user to modify data integrity and disclose limited information.

The vulnerability exists due to improper neutralization of special elements in uneval output generation in the uneval feature when evaling code generated from untrusted data. A remote privileged user can supply crafted input that is unevaled and later evaled to modify data integrity and disclose limited information.

Exploitation occurs only under certain circumstances when code produced by uneval is later evaluated, which can cause the output data to have a different shape from the input data.

2) Resource exhaustion (CVE-ID: N/A)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in uneval and stringify when serializing sparse arrays. A remote user can create a sparse array on the server and have it processed to cause a denial of service.

This issue results in denial of service when the affected code is used on the server.

Remediation

Install update from vendor's website.

References

• https://github.com/sveltejs/devalue/security/advisories/GHSA-8qm3-746x-r74r
• https://github.com/sveltejs/devalue/security/advisories/GHSA-33hq-fvwr-56pm
• https://github.com/advisories/GHSA-33hq-fvwr-56pm