CVE-2026-22774

High CVSS: 7.5

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2.

Vendor

Svelte

Product

Devalue

CWE

CWE-405

Yayın Tarihi

2026-01-15 19:16:05

Güncelleme

2026-01-20 15:28:55

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-405 Devalue HIGH Svelte 2026

Referanslar

https://github.com/sveltejs/devalue/commit/e46afa64dd2b25aa35fb905ba5d20cea63aabbf7 https://github.com/sveltejs/devalue/releases/tag/v5.6.2 https://github.com/sveltejs/devalue/security/advisories/GHSA-vw5p-8cq8-m7mv

Benzer Kayıtlar

Medium

CVE-2026-30226

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the…

Medium

CVE-2026-27902

Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly esca…

Medium

CVE-2026-27901

Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textConte…

Medium

CVE-2026-27119

svelte performance oriented web framework. From 5.39.3,

Medium

CVE-2026-27121

svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XS…

Medium

CVE-2026-27122

svelte performance oriented web framework. Prior to 5.51.5, when using in server-side rendering, the provided tag name…