DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-33HQ-FVWR-56PM: The Billion-Comma Attack: Nuking Svelte SSR with Sparse Arrays

#security #cve #cybersecurity #ghsa

The Billion-Comma Attack: Nuking Svelte SSR with Sparse Arrays

Vulnerability ID: GHSA-33HQ-FVWR-56PM
CVSS Score: 7.5
Published: 2026-02-19

A critical algorithmic complexity vulnerability in the devalue library, a staple of the Svelte ecosystem, allows attackers to trigger Denial of Service (DoS) via memory exhaustion. By supplying specially crafted sparse arrays—arrays with massive lengths but few actual elements—attackers can force the serialization engine into an O(L) operation (where L is length) rather than O(N) (where N is elements). This results in the server attempting to allocate gigabytes of memory to represent 'empty' space.

TL;DR

Versions of devalue prior to 5.6.3 iterate linearly over sparse arrays during serialization. An attacker can define an array with a length of 100 million containing a single item, causing the server to hang while generating a massive string of hole sentinels. The fix introduces a cost-based heuristic to switch to a 'sparse' encoding format when efficient.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Algorithmic Complexity / Resource Exhaustion
  • CWE ID: CWE-400 (Uncontrolled Resource Consumption)
  • CVSS: 7.5 (High)
  • Attack Vector: Network (Remote)
  • Affected Component: devalue.stringify, devalue.uneval
  • Fix Commit: 819f1ac7475ab37547645cfb09bf2f678a799cf0

Affected Systems

  • Svelte (via devalue dependency)
  • SvelteKit (via devalue dependency)
  • Any Node.js application using devalue for serialization
  • devalue: < 5.6.3 (Fixed in: 5.6.3)

Code Analysis

Commit: 819f1ac

Fix: use sparse encoding for arrays with many holes

@@ -120,7 +120,16 @@
                let sparse_cost = 0;
                for (const index in value) {
                    sparse_cost += (index.length + 1) + str.length + 1;
                }
+
+               // cost of holes
+               const dense_cost = (value.length - Object.keys(value).length) * 3;
+
+               if (sparse_cost < dense_cost) {
+                   // use sparse representation
+                   // ... implementation of SPARSE sentinel ...
+               }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual: Constructing a sparse array with arr[1e9]=1 and passing it to stringify triggers the hang.

Mitigation Strategies

  • Update devalue to version 5.6.3 or later.
  • Implement input validation to reject arrays with excessive lengths.
  • Monitor event loop lag in Node.js to detect CPU-blocking operations.

Remediation Steps:

  1. Run npm audit to identify the vulnerable path.
  2. Execute npm update devalue to pull the latest patch.
  3. Verify the version in node_modules/devalue/package.json is >= 5.6.3.

References

Read the full report for GHSA-33HQ-FVWR-56PM on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)