PatchSiren cyber security CVE debrief
CVE-2026-42570 sveltejs CVE debrief
CVE-2026-42570 is a HIGH severity vulnerability in Svelte devalue, a JavaScript library for serializing values into strings. Versions from 5.6.3 to before 5.8.1 are vulnerable to excessive memory consumption due to quirks in some JavaScript engines when deserializing sparse arrays. This issue has been patched in version 5.8.1.
- Vendor
- sveltejs
- Product
- devalue
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-11
Who should care
Developers and users of Svelte devalue versions between 5.6.3 and 5.8.1 should be aware of this vulnerability and take steps to upgrade to a patched version.
Technical summary
The vulnerability exists in the devalue.parse function, which can allocate excessive memory when deserializing sparse arrays. This can lead to high memory consumption, potentially causing performance issues or crashes.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Svelte devalue version 5.8.1 or later.
- Review and update affected applications to use the patched version.
Evidence notes
The vulnerability was patched in version 5.8.1. References: [ref-4: Patch](https://github.com/sveltejs/devalue/commit/206ca6712fbc380a4571c59de9ab04b91110792d), [ref-5: Product, Release Notes](https://github.com/sveltejs/devalue/releases/tag/v5.8.1), [ref-6: Vendor Advisory](https://github.com/sveltejs/devalue/security/advisories/GHSA-77vg-94rm-hx3p).
Official resources
-
CVE-2026-42570 CVE record
CVE.org
-
CVE-2026-42570 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-42570 was published on 2026-06-09T17:17:07.253Z and modified on 2026-06-11T18:52:51.173Z.