CVE-2026-22774
devalue vulnerable to denial of service due to memory exhaustion in devalue.parse
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2.
| CWE | CWE-405 |
| Vendor | sveltejs |
| Product | devalue |
| Published | Jan 15, 2026 |
| Last Updated | Jun 30, 2026 |
Stay Ahead of the Next One
Get instant alerts for sveltejs devalue
Be the first to know when new high vulnerabilities affecting sveltejs devalue are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
sveltejs / devalue
>= 5.3.0, < 5.6.2
References
github.com: https://github.com/sveltejs/devalue/security/advisories/GHSA-vw5p-8cq8-m7mv github.com: https://github.com/sveltejs/devalue/commit/e46afa64dd2b25aa35fb905ba5d20cea63aabbf7 github.com: https://github.com/sveltejs/devalue/releases/tag/v5.6.2 access.redhat.com: https://access.redhat.com/security/cve/CVE-2026-22774 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2430095 security.access.redhat.com: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-22774.json access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2926 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2144