CVE-2026-42570
Undergoing Analysis Undergoing Analysis - In Progress
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: GitHub, Inc.

Description
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption. This issue has been patched in version 5.8.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-42570
EUVD
EUVD-2026-35500
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sveltejs devalue to 5.8.1 (exc)
sveltejs devalue 5.8.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in devalue.parse leads to excessive memory consumption causing a denial-of-service (DoS) condition, impacting system availability.

Since the issue does not affect confidentiality or integrity of data, it primarily impacts availability.

Common standards and regulations such as GDPR and HIPAA emphasize the protection of confidentiality, integrity, and availability of data.

While this vulnerability could affect availability, it does not directly compromise personal data confidentiality or integrity, so its impact on compliance with GDPR or HIPAA is limited to availability concerns.

Executive Summary

CVE-2026-42570 is a vulnerability in the JavaScript library 'devalue' used by Svelte. The issue occurs in versions from 5.6.3 up to but not including 5.8.1, where the function devalue.parse can be tricked into allocating much more memory than necessary when deserializing sparse arrays. This happens due to quirks in some JavaScript engines, causing excessive memory consumption.

Specifically, a malicious payload with many sparse arrays claiming large lengths but containing minimal data can force the parser to allocate large arrays in memory, potentially crashing the host process.

The vulnerability was patched in version 5.8.1 by adding validation checks on array lengths and indices and changing the parsing logic to avoid eager large memory allocation.

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) condition by causing excessive memory consumption during the deserialization of sparse arrays. An attacker can exploit this remotely without any privileges or user interaction.

The impact is primarily on system availability, as the excessive memory allocation can crash the host process or severely degrade performance.

There is no impact on confidentiality or integrity of data.

Detection Guidance

This vulnerability involves excessive memory allocation during deserialization of sparse arrays using devalue.parse in affected versions of the devalue library. Detection would involve monitoring for unusually high memory consumption or crashes in applications using devalue versions from 5.6.3 up to 5.8.0.

There are no specific commands or network detection signatures provided in the available information to detect exploitation attempts directly.

A practical approach is to check the version of the devalue package in your environment to identify if it is within the vulnerable range.

  • Use npm or yarn to check the installed version, for example: `npm list devalue` or `yarn list devalue`.
  • Monitor application logs and system metrics for signs of high memory usage or crashes related to JavaScript processes using devalue.
Mitigation Strategies

The primary mitigation step is to upgrade the devalue library to version 5.8.1 or later, where the vulnerability has been patched.

The fix includes validation of array lengths and indices to prevent excessive memory allocation during sparse array deserialization.

If upgrading immediately is not possible, consider implementing monitoring for abnormal memory usage and restricting inputs that could trigger sparse array deserialization.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42570. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart