Asymmetric Resource Consumption (Amplification) in devalue - CVE-2026-22774

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in devalue.parse typed array hydration logic when parsing externally supplied data. A remote attacker can send specially crafted input to cause a denial of service.

This affects applications that use devalue.parse on untrusted input.

How to mitigate CVE-2026-22774

Sources

• https://github.com/sveltejs/devalue/security/advisories/GHSA-vw5p-8cq8-m7mv
• https://github.com/advisories/GHSA-vw5p-8cq8-m7mv