Login Sign Up

CVE-2026-22775

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2026-22775 is a denial-of-service vulnerability in the Svelte devalue JavaScript library where specially crafted inputs cause excessive CPU and memory consumption during parsing. This affects applications using devalue.parse on untrusted external data, potentially crashing or degrading service. Systems processing user-supplied data with vulnerable devalue versions (5.1.0 to 5.6.1) are at risk.

💻 Affected Systems

Products:
  • Svelte devalue
Versions: 5.1.0 to 5.6.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when devalue.parse is used on untrusted/external data. Applications not using this function or not processing external data are not affected.

📦 What is this software?

Devalue by Svelte

View all CVEs affecting Devalue →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service through resource exhaustion, crashing applications or servers processing malicious inputs.

🟠

Likely Case

Performance degradation and service disruption when parsing malicious payloads from untrusted sources.

🟢

If Mitigated

Minimal impact if input validation or rate limiting prevents malicious payloads from reaching vulnerable parsing functions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted input to applications using vulnerable devalue.parse. No authentication needed if application accepts external input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.6.2

Vendor Advisory: https://github.com/sveltejs/devalue/security/advisories/GHSA-g2pg-6438-jwpf

Restart Required: Yes

Instructions:

1. Update devalue dependency to version 5.6.2 or later. 2. For npm: run 'npm update devalue'. 3. For yarn: run 'yarn upgrade devalue'. 4. Restart application services.

🔧 Temporary Workarounds

Input validation

all

Validate and sanitize all external inputs before passing to devalue.parse

Rate limiting

all

Implement rate limiting on endpoints using devalue.parse to limit DoS impact

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all data passed to devalue.parse
  • Isolate parsing functionality in separate processes with resource limits

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for devalue version between 5.1.0 and 5.6.1

Check Version:

npm list devalue | grep devalue

Verify Fix Applied:

Verify devalue version is 5.6.2 or higher in package.json and dependencies

📡 Detection & Monitoring

Log Indicators:

  • Unusually high CPU/memory usage spikes during data parsing
  • Application crashes or timeouts when processing specific inputs

Network Indicators:

  • Large or malformed payloads sent to endpoints using devalue.parse

SIEM Query:

source=application_logs AND ("devalue.parse" OR "parsing error") AND (cpu_usage>90 OR memory_usage>90)

📊 Metadata

CVE ID: CVE-2026-22775
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-405
EPSS Score: 0.05% exploit probability (16.1th percentile)
Published: January 15, 2026
Last Updated: January 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22775, you might also want to check these:

CVE-2025-42874 7.9

CVE-2025-42874 is a remote code execution vulnerability in SAP NetWeaver's Xcelsius remote service t...

Same vulnerability type (CWE-405)
CVE-2024-11187 7.5

This CVE describes a resource exhaustion vulnerability in BIND DNS servers where specially crafted z...

Same vulnerability type (CWE-405)
CVE-2026-0485 7.5

CVE-2026-0485 is a denial-of-service vulnerability in SAP BusinessObjects BI Platform that allows un...

Same vulnerability type (CWE-405)