GHSA-77vg-94rm-hx3pHighCVSS 7.5
Svelte devalue: DoS via sparse array deserialization
🔗 CVE IDs covered (1)
📋 Description
devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption.
🎯 Affected products1
- npm/devalue:>= 5.6.3, <= 5.8.0
🔗 References (5)
- https://github.com/sveltejs/devalue/security/advisories/GHSA-77vg-94rm-hx3p
- https://github.com/sveltejs/devalue/commit/206ca6712fbc380a4571c59de9ab04b91110792d
- https://github.com/sveltejs/devalue/releases/tag/v5.8.1
- https://nvd.nist.gov/vuln/detail/CVE-2026-42570
- https://github.com/advisories/GHSA-77vg-94rm-hx3p