CVE-2026-22775
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5
CVSS
7.5
High
EPSS
0.6%
p43
KEV
—
Exploit Today
13
0-100
Published: Jan 15, 2026 · Last modified: Jul 15, 2026 · CWE-405
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. This vulnerability is fixed in 5.6.2.
- github.comhttps://github.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4
- github.comhttps://github.com/sveltejs/devalue/releases/tag/v5.6.2
- github.comhttps://github.com/sveltejs/devalue/security/advisories/GHSA-g2pg-6438-jwpf
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:2144
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:2926
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-22775
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2430109
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-22775.json