Home

Description

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. This vulnerability is fixed in 5.6.2.

PUBLISHED Reserved 2026-01-09 | Published 2026-01-15 | Updated 2026-01-15 | Assigner GitHub_M




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-405: Asymmetric Resource Consumption (Amplification)

Product status

>= 5.1.0, < 5.6.2
affected

References

github.com/...evalue/security/advisories/GHSA-g2pg-6438-jwpf

github.com/...ommit/11755849fa0634ae294a15ec0aef2f43efcad7c4

github.com/sveltejs/devalue/releases/tag/v5.6.2

cve.org (CVE-2026-22775)

nvd.nist.gov (CVE-2026-22775)

Download JSON