CVE-2026-22775
devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. This vulnerability is fixed in 5.6.2.
| CWE | CWE-405 |
| Vendor | sveltejs |
| Product | devalue |
| Published | Jan 15, 2026 |
| Last Updated | Jun 30, 2026 |
Stay Ahead of the Next One
Get instant alerts for sveltejs devalue
Be the first to know when new high vulnerabilities affecting sveltejs devalue are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
sveltejs / devalue
>= 5.1.0, < 5.6.2
References
github.com: https://github.com/sveltejs/devalue/security/advisories/GHSA-g2pg-6438-jwpf github.com: https://github.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4 github.com: https://github.com/sveltejs/devalue/releases/tag/v5.6.2 access.redhat.com: https://access.redhat.com/security/cve/CVE-2026-22775 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2430109 security.access.redhat.com: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-22775.json access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2926 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2144