Description
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption. This issue has been patched in version 5.8.1.
Published: 2026-06-09
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Svelte devalue is a JavaScript library that serializes and deserializes values. Between versions 5.6.3 and before 5.8.1, the parse function could be manipulated by supplying a sparse array that, due to quirks in certain JavaScript engines, causes the function to allocate far more memory than the array actually contains. This excessive memory consumption can lead to service disruption or system crashes, exemplifying a denial‑of‑service vulnerability (CWE‑770).

Affected Systems

The affected product is sveltejs:devalue, specifically versions from 5.6.3 through the last release prior to 5.8.1. All earlier releases are not impacted, and the issue has been resolved in version 5.8.1.

Risk and Exploitability

The CVSS score of 7.5 indicates a moderate‑to‑high severity of the flaw. While an EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the ability to trigger memory exhaustion is present. The likely attack vector involves an attacker providing a specially crafted sparse array to the devalue.parse routine, which may be reachable through any user‑controlled input endpoint or embedded script. Successful exploitation would consume application or system memory, potentially causing a crash or degraded performance.

Generated by OpenCVE AI on June 9, 2026 at 17:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade devalue to version 5.8.1 or later.
  • If an upgrade is not feasible, block or reject any untrusted input that would trigger sparse array deserialization, and enforce strict size limits on arrays before parsing.
  • Apply runtime memory limits or monitor memory usage for processes that use devalue, and consider rate‑limiting or sandboxing to mitigate large payloads.

Generated by OpenCVE AI on June 9, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-77vg-94rm-hx3p Svelte devalue: DoS via sparse array deserialization
History

Tue, 09 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Svelte
Svelte devalue
Vendors & Products Svelte
Svelte devalue

Tue, 09 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption. This issue has been patched in version 5.8.1.
Title Svelte devalue: DoS via sparse array deserialization
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Svelte Devalue
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T18:06:56.030Z

Reserved: 2026-04-28T17:26:12.084Z

Link: CVE-2026-42570

cve-icon Vulnrichment

Updated: 2026-06-09T18:06:42.643Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:07.253

Modified: 2026-06-09T19:32:29.743

Link: CVE-2026-42570

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:00:17Z

Weaknesses