Jviide

**Name of the Vulnerable Software and Affected Versions** Svelte devalue versions prior to 5.6.4 **Description** Svelte devalue is a JavaScript library used for serializing values into strings when JSON.stringify is insufficient. Versions 5.6.3 and earlier of `devalue.parse` and `devalue.unflatten` are susceptible to prototype pollution through maliciously crafted payloads. Successful exploitation could result in Denial of Service (DoS) or type confusion. **Recommendations** Update to version 5.6.4 or later.

**Name of the Vulnerable Software and Affected Versions** Svelte devalue versions 5.3.0 through 5.6.1 **Description** Certain inputs can cause the `devalue.parse` function to consume excessive CPU time and/or memory, potentially leading to a denial of service in systems that parse input from untrusted sources. This affects applications using `devalue.parse` on externally-supplied data. The root cause is the typed array hydration expecting an `ArrayBuffer` as input, but not checking this assumption before creating the typed array. **Recommendations** Upgrade to version 5.6.2 or later.

**Name of the Vulnerable Software and Affected Versions** Svelte devalue versions 5.1.0 through 5.6.1 **Description** Certain inputs can cause the `devalue.parse` function to consume excessive CPU time and/or memory, potentially leading to a denial of service. This affects applications using `devalue.parse` on externally-supplied data. The issue stems from the `ArrayBuffer` hydration logic not validating input before processing, specifically expecting base64 encoded strings without verification. **Recommendations** Upgrade to version 5.6.2 or later.