CVE-2026-22774
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sveltejs | devalue | From 5.3.0 (inc) to 5.6.1 (inc) |
| sveltejs | devalue | 5.6.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-405 | The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the devalue JavaScript library occurs because the devalue.parse function does not properly validate input when reconstructing typed arrays. Specifically, it assumes that the input is an ArrayBuffer without checking, which can lead to excessive CPU and memory usage when processing maliciously crafted inputs. This flaw can cause denial of service by exhausting system resources. The issue was fixed by adding strict type validation to ensure only valid ArrayBuffer instances are accepted during deserialization. [1, 3]
How can this vulnerability impact me? :
If your application uses devalue.parse on untrusted external data, this vulnerability can be exploited to cause excessive CPU and memory consumption, potentially leading to denial of service. This means attackers could crash or severely degrade the performance of your system by sending specially crafted inputs that trigger the flaw in typed array hydration. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for excessive CPU usage or memory consumption in applications using the devalue.parse function on untrusted input, as malicious inputs cause resource exhaustion. Additionally, checking the version of the devalue library in use can help identify if the system is vulnerable (versions >=5.3.0 and <=5.6.1 are affected). There are no specific commands provided in the resources, but you can use standard system monitoring tools such as 'top' or 'htop' on Linux to observe CPU and memory usage spikes. To check the devalue version in a Node.js project, you can run 'npm list devalue' or inspect the package.json and package-lock.json files. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the devalue library to version 5.6.2 or later, where the input validation issues have been fixed. This update includes validation to ensure only valid ArrayBuffer instances are accepted during typed array deserialization, preventing the denial of service condition. Additionally, avoid parsing untrusted input with vulnerable versions of devalue.parse until the upgrade is applied. [2, 3]