Description
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2.
Published: 2026-01-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via excessive memory/CPU consumption during parsing
Action: Immediate Patch
AI Analysis

Impact

devalue.parse, a function in the Svelte devalue library, can consume excessive CPU time and memory when processing certain inputs. This leads to a denial of service in systems that parse untrusted data with devalue.parse. The weakness is due to unvalidated typed array hydration that expects an ArrayBuffer, causing resource exhaustion. The impact is a loss of availability for applications that rely on this parsing function, and the vulnerability is fixed in version 5.6.2.

Affected Systems

Affected applications include those using the Svelte devalue JavaScript library in the Node.js environment, specifically versions 5.3.0 through 5.6.1 inclusive. Any software that calls devalue.parse with externally supplied data is vulnerable. Systems employing these library versions in a browser or server context may be impacted.

Risk and Exploitability

CVSS score 7.5 indicates high severity. EPSS < 1% suggests a low probability of exploitation, yet the vulnerability can be triggered by crafting malicious input to devalue.parse. The attack vector is likely remote when the application accepts network input that feeds the parser. The vulnerability is not listed in the CISA KEV catalog, but still poses a significant risk to availability for exposed services. Immediate remediation is advised to mitigate potential denial of service.

Generated by OpenCVE AI on April 18, 2026 at 06:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Svelte devalue library to version 5.6.2 or later, which contains the fix for this issue.
  • Validate and sanitize all externally supplied data before passing it to devalue.parse, ensuring the input is well‑formed and within acceptable size limits.
  • Implement resource constraints or sandboxed execution for devalue.parse calls to limit CPU and memory usage, preventing potential exhaustion attacks.

Generated by OpenCVE AI on April 18, 2026 at 06:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vw5p-8cq8-m7mv Devalue is vulnerable to denial of service due to memory exhaustion in devalue.parse
History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:svelte:devalue:*:*:*:*:*:node.js:*:*

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Svelte
Svelte devalue
Vendors & Products Svelte
Svelte devalue

Fri, 16 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 15 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
References

Thu, 15 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
Description Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2.
Title devalue vulnerable to denial of service due to memory exhaustion in devalue.parse
Weaknesses CWE-405
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Svelte Devalue
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-15T19:16:10.500Z

Reserved: 2026-01-09T18:27:19.387Z

Link: CVE-2026-22774

cve-icon Vulnrichment

Updated: 2026-01-15T19:16:08.312Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T19:16:05.813

Modified: 2026-01-20T15:28:55.100

Link: CVE-2026-22774

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-15T18:53:21Z

Links: CVE-2026-22774 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:15:15Z

Weaknesses