Skip to main content

devalue EUVDEUVD-2026-35500

| CVE-2026-42570 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-14 https://github.com/sveltejs/devalue GHSA-77vg-94rm-hx3p
7.5
CVSS 3.1 · Vendor: https://github.com/sveltejs/devalue
Share

Severity by source

Vendor (https://github.com/sveltejs/devalue) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/sveltejs/devalue).

CVSS VectorVendor: https://github.com/sveltejs/devalue

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 21:19 vuln.today
Analysis Generated
May 14, 2026 - 21:19 vuln.today
CVE Published
May 14, 2026 - 20:23 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 31 npm packages depend on devalue (2 direct, 29 indirect)

Ecosystem-wide dependent count for version 5.6.3.

DescriptionCVE.org

devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption.

AnalysisAI

Excessive memory allocation in devalue.parse (npm package) allows remote attackers to exhaust process memory via crafted sparse array payloads. Affects versions 5.6.3 through 5.8.0. Exploits JavaScript engine behavior where declaring large array lengths triggers eager memory allocation in V8, enabling denial-of-service with minimal payload size. Vendor-released patch 5.8.1 forces sparse allocation by touching MAX_ARRAY_INDEX before setting length. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists in security advisory test cases.

Technical ContextAI

The devalue library (pkg:npm/devalue) provides serialization/deserialization primitives used in Svelte and SvelteKit frameworks. The vulnerability resides in the sparse array deserialization logic within devalue.parse. The SPARSE encoding format [-7, length, idx, val, ...] previously called new Array(length) directly on untrusted length values. In V8 JavaScript engine (Chrome, Node.js), array lengths below ~10^8 trigger eager allocation of contiguous backing stores. An attacker-controlled payload declaring arrays with huge lengths (e.g., 100 million) but minimal actual data forces the parser to allocate gigabytes of memory. This is a CWE-770 (Allocation of Resources Without Limits or Throttling) issue where input validation failed to prevent resource exhaustion. The patch addresses this by first touching array[MAX_ARRAY_INDEX] to force V8 into dictionary-elements mode, where length becomes a number property without contiguous allocation, then deleting that index and setting the final length safely.

RemediationAI

Upgrade devalue to version 5.8.1 or later, confirmed fixed by vendor advisory GHSA-77vg-94rm-hx3p and release tag https://github.com/sveltejs/devalue/releases/tag/v5.8.1. The patch commit 206ca6712fbc380a4571c59de9ab04b91110792d modifies src/parse.js to force sparse allocation. For npm projects, run 'npm update devalue' or 'npm install devalue@5.8.1'. SvelteKit users should update SvelteKit to a version bundling devalue 5.8.1+. If immediate upgrade is blocked, implement input validation to reject payloads containing SPARSE array markers (value -7 in devalue encoding) from untrusted sources, though this breaks legitimate sparse array deserialization. Alternatively, enforce payload size limits (<10KB) and run devalue.parse in isolated workers with memory limits (Node.js --max-old-space-size=512) to contain crashes-note this still allows DoS but prevents cascading OOM on shared infrastructure. No vendor-provided workarounds exist; upgrade is the only complete mitigation.

Vendor StatusVendor

Share

EUVD-2026-35500 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy