CVE-2026-42570
7.5 HIGHSvelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job
Published: 2026-06-09 · Last updated: 2026-06-09
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CWE
- CWE-770
Description
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption. This issue has been patched in version 5.8.1.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-24720 — An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 6
- CVE-2026-41726 — When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with uniqu... (6.5 MEDIUM)
- CVE-2026-41716 — Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhau... (7.5 HIGH)
- CVE-2026-28237 — Unrestricted resource allocation in AMD uProf may be exploitable to consume excessive system resources, potentially leading to a loss of ...
- CVE-2026-49955 — Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade... (5.3 MEDIUM)