CVE-2026-22775
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sveltejs | devalue | From 5.1.0 (inc) to 5.6.1 (inc) |
| sveltejs | devalue | 5.6.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-405 | The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the devalue.parse function of the Svelte devalue JavaScript library versions 5.1.0 to 5.6.1. The function improperly validates inputs when hydrating ArrayBuffers, expecting base64-encoded strings but not verifying this before decoding. Maliciously crafted inputs can cause excessive CPU and memory consumption, leading to denial of service (DoS) by exhausting system resources. The root cause is improper input validation and failure to detect circular references during hydration, which can cause infinite recursion or stack overflows. The issue is fixed in version 5.6.2 by adding strict input validation, cycle detection, and improved error handling. [1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to denial of service (DoS) attacks on systems using the devalue.parse function to process untrusted external data. Attackers can supply specially crafted inputs that cause the parser to consume excessive CPU and memory resources, potentially crashing the application or making it unresponsive. This can disrupt service availability and degrade system performance, impacting any application relying on this library for serialization and deserialization of data. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for excessive CPU or memory usage during processing of inputs by the devalue.parse function, especially when handling externally supplied data. Since the vulnerability arises from malformed or malicious inputs causing resource exhaustion, you can detect it by observing abnormal resource consumption patterns in applications using vulnerable versions (5.1.0 to 5.6.1) of the devalue library. Specific commands depend on your environment, but examples include using system monitoring tools such as 'top' or 'htop' on Linux to watch CPU and memory usage, or profiling Node.js processes. Additionally, scanning your project dependencies to identify if devalue versions between 5.1.0 and 5.6.1 are in use can be done with commands like 'npm ls devalue' or 'yarn list devalue'. There are no direct commands provided in the resources for detecting exploit attempts, but monitoring resource usage and dependency versions is recommended. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the devalue library to version 5.6.2 or later, where the vulnerability has been fixed. This update includes strict validation of ArrayBuffer inputs, prevention of circular references during hydration, and improved error handling to prevent excessive CPU and memory consumption. Additionally, avoid processing untrusted or external data with vulnerable versions of devalue.parse until the upgrade is applied. Implementing input validation and error handling in your application to reject malformed or unexpected inputs can also help reduce risk. [2, 3, 1]