Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
1.7
Uneval and Stringify Can Crash devalue with Large Sparse Arrays
GHSA-33hq-fvwr-56pm
Summary
devalue's `uneval` and `stringify` functions can be exploited to cause a denial-of-service (DoS) on the server if a large sparse array is created and processed. This is difficult to achieve in the wild, but it's essential to be aware of this potential weakness. To mitigate this risk, ensure that your server-side code does not serialize sparse arrays using these functions, or properly validate and sanitize user input to prevent large arrays from being created.
What to do
- Update GitHub Actions devalue to version 5.6.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| GitHub Actions | devalue | <= 5.6.2 | 5.6.3 |
Original title
devalue affected by CPU and memory amplification from sparse arrays
Original description
Under certain circumstances, serializing sparse arrays using `uneval` or `stringify` could cause CPU and/or memory exhaustion. When this occurs on the server, it results in a DoS. This is extremely difficult to take advantage of in practice, as an attacker would have to manage to create a sparse array on the server — which is impossible in every mainstream wire format — and then that sparse array would have to be run through `uneval` or `stringify`.
ghsa CVSS4.0
1.7
Vulnerability type
CWE-770
Allocation of Resources Without Limits
Published: 19 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026