CVE-2026-22774

Description

## Summary Certain inputs can cause `devalue.parse` to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using `devalue.parse` on externally-supplied data. The root cause is the typed array hydration expecting an `ArrayBuffer` as input, but not checking the assumption before creating the typed array. ## Details The parser's typed array hydration logic does not properly validate input before processing. Specially crafted inputs can cause disproportionate memory allocation or CPU usage on the receiving system. ## Impact This is a denial of service vulnerability affecting systems that use `devalue.parse` to handle data from potentially untrusted sources. Affected systems should upgrade to patched versions immediately.

How to fix CVE-2026-22774

To remediate CVE-2026-22774, upgrade the affected package to a fixed version below.

• —upgrade to 5.6.2 or later

Is CVE-2026-22774 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 5.3.0, < 5.6.2

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-22774
• PATCHgithub.com/sveltejs/devalue
• WEBgithub.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4
• WEBgithub.com/sveltejs/devalue/commit/e46afa64dd2b25aa35fb905ba5d20cea63aabbf7