CVE-2026-42570

HIGH7.5

Svelte devalue: DoS via sparse array deserialization

Published: 5/14/2026Modified: 5/14/2026

Description

`devalue.parse` could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption.

Affected packages (1)

npm/devalue>= 5.6.3, < 5.8.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (4)

PATCHhttps://github.com/sveltejs/devalue
WEBhttps://github.com/sveltejs/devalue/commit/206ca6712fbc380a4571c59de9ab04b91110792d
WEBhttps://github.com/sveltejs/devalue/releases/tag/v5.8.1
WEBhttps://github.com/sveltejs/devalue/security/advisories/GHSA-77vg-94rm-hx3p