Svelte devalue: DoS via sparse array deserialization_CVE-2026-42570

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption. This issue has been patched in version 5.8.1.

Basic Information

ID CVE-2026-42570

Source GitHub_M

Published Jun 9, 2026 at 16:12

Affected Product

Vendor sveltejs

Product devalue

Version >= 5.6.3, < 5.8.1

Affected Versions sveltejs devalue >= 5.6.3, < 5.8.1

CWE Classification

CWE-770

References

{
    "lastseen": "",
    "description": "Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption. This issue has been patched in version 5.8.1.",
    "published": "2026-06-09T16:12:26.377Z",
    "modified": "2026-06-09T16:12:26.377Z",
    "type": "cve",
    "title": "Svelte devalue: DoS via sparse array deserialization",
    "source": "GitHub_M",
    "references": "https://github.com/sveltejs/devalue/security/advisories/GHSA-77vg-94rm-hx3p\nhttps://github.com/sveltejs/devalue/commit/206ca6712fbc380a4571c59de9ab04b91110792d\nhttps://github.com/sveltejs/devalue/releases/tag/v5.8.1",
    "id": "CVE-2026-42570",
    "bulletinFamily": "",
    "cwe": [
        "CWE-770"
    ],
    "cvelist": null,
    "sourceData": "sveltejs devalue >= 5.6.3, < 5.8.1",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "devalue",
    "version": ">= 5.6.3, < 5.8.1",
    "vendor": "sveltejs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}