Skip to main content

devalue CVE-2026-42570

HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-14 https://github.com/sveltejs/devalue GHSA-77vg-94rm-hx3p
Denial Of Service
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 21:19 vuln.today
Analysis Generated
May 14, 2026 - 21:19 vuln.today
CVE Published
May 14, 2026 - 20:23 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 50 npm packages depend on devalue (2 direct, 48 indirect)

Ecosystem-wide dependent count for version 5.6.3.

DescriptionNVD

devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption.

AnalysisAI

Excessive memory allocation in devalue.parse (npm package) allows remote attackers to exhaust process memory via crafted sparse array payloads. Affects versions 5.6.3 through 5.8.0. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all applications and services using devalue versions 5.6.3-5.8.0 via dependency scanning (npm audit, SBOM review). Within 7 days: Upgrade devalue to version 5.8.1 or later across all affected projects and redeploy. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-42570 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy