{"id":"GHSA-g2pg-6438-jwpf","summary":"devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse","details":"## Summary\n\nCertain inputs can cause `devalue.parse` to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using `devalue.parse` on externally-supplied data. The root cause is the `ArrayBuffer` hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input.\n\n## Details\n\nThe parser's `ArrayBuffer` hydration logic does not properly validate input before processing. Specially crafted inputs can cause disproportionate memory allocation or CPU usage on the receiving system.\n\n## Impact\n\nThis is a denial of service vulnerability affecting systems that use `devalue.parse` to handle data from potentially untrusted sources.\n\nAffected systems should upgrade to patched versions immediately.","aliases":["CVE-2026-22775"],"modified":"2026-02-03T03:17:50.922730Z","published":"2026-01-15T22:15:18Z","database_specific":{"severity":"HIGH","nvd_published_at":"2026-01-15T19:16:05Z","github_reviewed_at":"2026-01-15T22:15:18Z","cwe_ids":["CWE-405"],"github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/sveltejs/devalue/security/advisories/GHSA-g2pg-6438-jwpf"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22775"},{"type":"WEB","url":"https://github.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4"},{"type":"PACKAGE","url":"https://github.com/sveltejs/devalue"},{"type":"WEB","url":"https://github.com/sveltejs/devalue/releases/tag/v5.6.2"}],"affected":[{"package":{"name":"devalue","ecosystem":"npm","purl":"pkg:npm/devalue"},"ranges":[{"type":"SEMVER","events":[{"introduced":"5.1.0"},{"fixed":"5.6.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-g2pg-6438-jwpf/GHSA-g2pg-6438-jwpf.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}