High severityOSV Advisory· Published Jan 15, 2026· Updated Jan 15, 2026
devalue vulnerable to denial of service due to memory exhaustion in devalue.parse
CVE-2026-22774
Description
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
devaluenpm | >= 5.3.0, < 5.6.2 | 5.6.2 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-vw5p-8cq8-m7mvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22774ghsaADVISORY
- github.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4ghsaWEB
- github.com/sveltejs/devalue/commit/e46afa64dd2b25aa35fb905ba5d20cea63aabbf7ghsax_refsource_MISCWEB
- github.com/sveltejs/devalue/releases/tag/v5.6.2ghsax_refsource_MISCWEB
- github.com/sveltejs/devalue/security/advisories/GHSA-vw5p-8cq8-m7mvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.