CVE-2026-22775

Description

## Summary Certain inputs can cause `devalue.parse` to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using `devalue.parse` on externally-supplied data. The root cause is the `ArrayBuffer` hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. ## Details The parser's `ArrayBuffer` hydration logic does not properly validate input before processing. Specially crafted inputs can cause disproportionate memory allocation or CPU usage on the receiving system. ## Impact This is a denial of service vulnerability affecting systems that use `devalue.parse` to handle data from potentially untrusted sources. Affected systems should upgrade to patched versions immediately.

How to fix CVE-2026-22775

To remediate CVE-2026-22775, upgrade the affected package to a fixed version below.

• —upgrade to 5.6.2 or later

Is CVE-2026-22775 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 5.1.0, < 5.6.2

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-22775
• PATCHgithub.com/sveltejs/devalue
• WEBgithub.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4
• WEBgithub.com/sveltejs/devalue/releases/tag/v5.6.2