FKIE_CVE-2026-22774

Vulnerability from fkie_nvd - Published: 2026-01-15 19:16 - Updated: 2026-01-20 15:28
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2.
References
security-advisories@github.comhttps://github.com/sveltejs/devalue/commit/e46afa64dd2b25aa35fb905ba5d20cea63aabbf7Patch
security-advisories@github.comhttps://github.com/sveltejs/devalue/releases/tag/v5.6.2Release Notes
security-advisories@github.comhttps://github.com/sveltejs/devalue/security/advisories/GHSA-vw5p-8cq8-m7mvVendor Advisory
Impacted products
Vendor Product Version
svelte devalue *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:svelte:devalue:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "8EF7822F-5387-4831-9C9C-54BF822F0DA5",
              "versionEndExcluding": "5.6.2",
              "versionStartIncluding": "5.3.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn\u0027t sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2."
    },
    {
      "lang": "es",
      "value": "Svelte devalue es una biblioteca de JavaScript que serializa valores en cadenas cuando JSON.stringify no es suficiente para la tarea. Desde la 5.3.0 hasta la 5.6.1, ciertas entradas pueden hacer que devalue.parse consuma tiempo de CPU y/o memoria excesivos, lo que podr\u00eda llevar a una denegaci\u00f3n de servicio en sistemas que analizan entradas de fuentes no confiables. Esto afecta a las aplicaciones que usan devalue.parse en datos suministrados externamente. La causa ra\u00edz es la hidrataci\u00f3n de arrays tipados que espera un ArrayBuffer como entrada, pero no verifica la suposici\u00f3n antes de crear el array tipado. Esta vulnerabilidad est\u00e1 corregida en la 5.6.2."
    }
  ],
  "id": "CVE-2026-22774",
  "lastModified": "2026-01-20T15:28:55.100",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-15T19:16:05.813",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/sveltejs/devalue/commit/e46afa64dd2b25aa35fb905ba5d20cea63aabbf7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/sveltejs/devalue/releases/tag/v5.6.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/sveltejs/devalue/security/advisories/GHSA-vw5p-8cq8-m7mv"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-405"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.