PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-22775 Svelte CVE debrief

CVE-2026-22775 is a denial of service vulnerability in Svelte Devalue, a JavaScript library for serializing values into strings. The vulnerability affects Devalue versions from 5.1.0 to 5.6.1 and can cause excessive CPU time and/or memory consumption when parsing input from untrusted sources. This can lead to denial of service in systems that use Devalue to parse externally-supplied data. The root cause of the vulnerability is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. The vulnerability is fixed in Devalue version 5.6.2.

Vendor
Svelte
Product
Devalue
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-15
Original CVE updated
2026-06-30
Advisory published
2026-01-15
Advisory updated
2026-06-30

Who should care

Developers and administrators who use Svelte Devalue in their applications should be aware of this vulnerability. This vulnerability can affect applications that parse input from untrusted sources, potentially leading to denial of service. Users of Devalue versions from 5.1.0 to 5.6.1 should take action to mitigate this vulnerability.

Technical summary

The Svelte Devalue library is vulnerable to a denial of service attack due to excessive CPU time and/or memory consumption when parsing certain inputs. The vulnerability exists in Devalue versions from 5.1.0 to 5.6.1 and is caused by the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. This can lead to denial of service in systems that use Devalue to parse externally-supplied data. The vulnerability has a CVSS score of 7.5 and is considered high severity. The vulnerability is fixed in Devalue version 5.6.2.

Defensive priority

High priority should be given to mitigating this vulnerability, as it can lead to denial of service in systems that use Devalue to parse externally-supplied data. Administrators and developers should take action to upgrade to Devalue version 5.6.2 or later.

Recommended defensive actions

  • Upgrade to Devalue version 5.6.2 or later
  • Review and validate input data to prevent excessive CPU time and/or memory consumption
  • Implement compensating controls to detect and prevent denial of service attacks
  • Monitor systems for signs of denial of service attacks
  • Consider implementing additional security measures to protect against similar vulnerabilities

Evidence notes

The vulnerability is documented in the CVE-2026-22775 record and the NVD detail page. The vulnerability is caused by the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. The vulnerability affects Devalue versions from 5.1.0 to 5.6.1 and is fixed in Devalue version 5.6.2.

Official resources

This article is AI-assisted and based on the supplied source corpus.