CVE-2026-42570
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption. This issue has been patched in version 5.8.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| sveltejs | devalue | >= 5.6.3, < 5.8.1 | affected |
Weaknesses
- CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
devalue: devalue: Excessive memory consumption via deserialization of sparse arrays
Additional References
- https://access.redhat.com/security/cve/CVE-2026-42570
- https://bugzilla.redhat.com/show_bug.cgi?id=2487050
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42570.json
References
- https://github.com/sveltejs/devalue/security/advisories/GHSA-77vg-94rm-hx3p
- https://github.com/sveltejs/devalue/commit/206ca6712fbc380a4571c59de9ab04b91110792d
- https://github.com/sveltejs/devalue/releases/tag/v5.8.1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.