Svelte devalue: DoS via sparse array deserialization

GHSA-77vg-94rm-hx3p · CVE-2026-42570

Published May 14, 2026 · Modified Jun 9, 2026

Description

devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption.

References

WEB https://github.com/sveltejs/devalue/security/advisories/GHSA-77vg-94rm-hx3p
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-42570
WEB https://github.com/sveltejs/devalue/commit/206ca6712fbc380a4571c59de9ab04b91110792d
PACKAGE https://github.com/sveltejs/devalue
WEB https://github.com/sveltejs/devalue/releases/tag/v5.8.1

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes