PatchSiren cyber security CVE debrief
CVE-2026-22775 Svelte CVE debrief
CVE-2026-22775 is a denial of service vulnerability in Svelte Devalue, a JavaScript library for serializing values into strings. The vulnerability affects Devalue versions from 5.1.0 to 5.6.1 and can cause excessive CPU time and/or memory consumption when parsing input from untrusted sources. This can lead to denial of service in systems that use Devalue to parse externally-supplied data. The root cause of the vulnerability is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. The vulnerability is fixed in Devalue version 5.6.2.
- Vendor
- Svelte
- Product
- Devalue
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-15
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-01-15
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators who use Svelte Devalue in their applications should be aware of this vulnerability. This vulnerability can affect applications that parse input from untrusted sources, potentially leading to denial of service. Users of Devalue versions from 5.1.0 to 5.6.1 should take action to mitigate this vulnerability.
Technical summary
The Svelte Devalue library is vulnerable to a denial of service attack due to excessive CPU time and/or memory consumption when parsing certain inputs. The vulnerability exists in Devalue versions from 5.1.0 to 5.6.1 and is caused by the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. This can lead to denial of service in systems that use Devalue to parse externally-supplied data. The vulnerability has a CVSS score of 7.5 and is considered high severity. The vulnerability is fixed in Devalue version 5.6.2.
Defensive priority
High priority should be given to mitigating this vulnerability, as it can lead to denial of service in systems that use Devalue to parse externally-supplied data. Administrators and developers should take action to upgrade to Devalue version 5.6.2 or later.
Recommended defensive actions
- Upgrade to Devalue version 5.6.2 or later
- Review and validate input data to prevent excessive CPU time and/or memory consumption
- Implement compensating controls to detect and prevent denial of service attacks
- Monitor systems for signs of denial of service attacks
- Consider implementing additional security measures to protect against similar vulnerabilities
Evidence notes
The vulnerability is documented in the CVE-2026-22775 record and the NVD detail page. The vulnerability is caused by the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. The vulnerability affects Devalue versions from 5.1.0 to 5.6.1 and is fixed in Devalue version 5.6.2.
Official resources
-
CVE-2026-22775 CVE record
CVE.org
-
CVE-2026-22775 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.