PT-2026-3093 · Devalue+1 · Devalue+1
Jviide
·
Published
2026-01-15
·
Updated
2026-01-16
·
CVE-2026-22775
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
Svelte devalue versions 5.1.0 through 5.6.1
Description
Certain inputs can cause the
devalue.parse function to consume excessive CPU time and/or memory, potentially leading to a denial of service. This affects applications using devalue.parse on externally-supplied data. The issue stems from the ArrayBuffer hydration logic not validating input before processing, specifically expecting base64 encoded strings without verification.Recommendations
Upgrade to version 5.6.2 or later.
Exploit
Fix
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Svelte
Devalue