FKIE_CVE-2026-22775

Vulnerability from fkie_nvd - Published: 2026-01-15 19:16 - Updated: 2026-01-20 15:29
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. This vulnerability is fixed in 5.6.2.
References
security-advisories@github.comhttps://github.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4Patch
security-advisories@github.comhttps://github.com/sveltejs/devalue/releases/tag/v5.6.2Release Notes
security-advisories@github.comhttps://github.com/sveltejs/devalue/security/advisories/GHSA-g2pg-6438-jwpfVendor Advisory
Impacted products
Vendor Product Version
svelte devalue *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:svelte:devalue:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "E70AD508-7046-4740-A03C-8605AC4A5F12",
              "versionEndExcluding": "5.6.2",
              "versionStartIncluding": "5.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn\u0027t sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. This vulnerability is fixed in 5.6.2."
    },
    {
      "lang": "es",
      "value": "Svelte devalue es una biblioteca de JavaScript que serializa valores en cadenas cuando JSON.stringify no es suficiente para la tarea. Desde la versi\u00f3n 5.1.0 hasta la 5.6.1, ciertas entradas pueden causar que devalue.parse consuma tiempo de CPU y/o memoria excesivos, lo que podr\u00eda llevar a una denegaci\u00f3n de servicio en sistemas que analizan entradas de fuentes no confiables. Esto afecta a las aplicaciones que utilizan devalue.parse con datos suministrados externamente. La causa ra\u00edz es la hidrataci\u00f3n de ArrayBuffer que espera cadenas codificadas en base64 como entrada, pero no verifica la suposici\u00f3n antes de decodificar la entrada. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 5.6.2."
    }
  ],
  "id": "CVE-2026-22775",
  "lastModified": "2026-01-20T15:29:35.663",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-15T19:16:05.963",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/sveltejs/devalue/releases/tag/v5.6.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/sveltejs/devalue/security/advisories/GHSA-g2pg-6438-jwpf"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-405"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.