Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (https://github.com/sveltejs/devalue).
CVSS VectorVendor: https://github.com/sveltejs/devalue
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 31 npm packages depend on devalue (2 direct, 29 indirect)
Ecosystem-wide dependent count for version 5.6.3.
DescriptionCVE.org
devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption.
AnalysisAI
Excessive memory allocation in devalue.parse (npm package) allows remote attackers to exhaust process memory via crafted sparse array payloads. Affects versions 5.6.3 through 5.8.0. Exploits JavaScript engine behavior where declaring large array lengths triggers eager memory allocation in V8, enabling denial-of-service with minimal payload size. Vendor-released patch 5.8.1 forces sparse allocation by touching MAX_ARRAY_INDEX before setting length. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists in security advisory test cases.
Technical ContextAI
The devalue library (pkg:npm/devalue) provides serialization/deserialization primitives used in Svelte and SvelteKit frameworks. The vulnerability resides in the sparse array deserialization logic within devalue.parse. The SPARSE encoding format [-7, length, idx, val, ...] previously called new Array(length) directly on untrusted length values. In V8 JavaScript engine (Chrome, Node.js), array lengths below ~10^8 trigger eager allocation of contiguous backing stores. An attacker-controlled payload declaring arrays with huge lengths (e.g., 100 million) but minimal actual data forces the parser to allocate gigabytes of memory. This is a CWE-770 (Allocation of Resources Without Limits or Throttling) issue where input validation failed to prevent resource exhaustion. The patch addresses this by first touching array[MAX_ARRAY_INDEX] to force V8 into dictionary-elements mode, where length becomes a number property without contiguous allocation, then deleting that index and setting the final length safely.
RemediationAI
Upgrade devalue to version 5.8.1 or later, confirmed fixed by vendor advisory GHSA-77vg-94rm-hx3p and release tag https://github.com/sveltejs/devalue/releases/tag/v5.8.1. The patch commit 206ca6712fbc380a4571c59de9ab04b91110792d modifies src/parse.js to force sparse allocation. For npm projects, run 'npm update devalue' or 'npm install devalue@5.8.1'. SvelteKit users should update SvelteKit to a version bundling devalue 5.8.1+. If immediate upgrade is blocked, implement input validation to reject payloads containing SPARSE array markers (value -7 in devalue encoding) from untrusted sources, though this breaks legitimate sparse array deserialization. Alternatively, enforce payload size limits (<10KB) and run devalue.parse in isolated workers with memory limits (Node.js --max-old-space-size=512) to contain crashes-note this still allows DoS but prevents cascading OOM on shared infrastructure. No vendor-provided workarounds exist; upgrade is the only complete mitigation.
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35500
GHSA-77vg-94rm-hx3p