CVE-2026-22774
Denial of Service vulnerability in devalue (npm)
What is CVE-2026-22774 About?
This vulnerability is a Denial of Service (DoS) in `devalue.parse` caused by excessive CPU or memory consumption. Attackers can trigger DoS by providing specially crafted inputs that lead to disproportionate resource usage. Exploitation is relatively easy, requiring only the submission of malicious input to a vulnerable system.
Affected Software
Technical Details
The devalue.parse function's typed array hydration logic lacks proper input validation. It expects an ArrayBuffer as input but does not check this assumption before attempting to create the typed array. An attacker can create specially crafted inputs that, when processed by devalue.parse, cause the system to allocate disproportionate amounts of memory or consume excessive CPU time. This resource exhaustion leads to a denial of service, making the application unresponsive or causing it to crash when handling data from untrusted sources.
What is the Impact of CVE-2026-22774?
Successful exploitation may allow attackers to cause target systems to consume excessive CPU or memory, leading to service disruption or application crashes (Denial of Service).
What is the Exploitability of CVE-2026-22774?
Exploitation of this vulnerability is straightforward and requires no authentication or specific privileges. An attacker can trigger the Denial of Service remotely by sending specially crafted inputs to any system utilizing devalue.parse to process external data. The complexity of the attack is low, primarily involving the creation of malformed input that exploits the parser's lack of validation during typed array hydration. There are no significant special conditions or constraints beyond the target system's use of the vulnerable devalue.parse component, making it a high-risk factor for applications that handle untrusted input via this library.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-22774?
Available Upgrade Options
- devalue
- >=5.3.0, <5.6.2 → Upgrade to 5.6.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/sveltejs/devalue/security/advisories/GHSA-vw5p-8cq8-m7mv
- https://github.com/sveltejs/devalue/releases/tag/v5.6.2
- https://github.com/sveltejs/devalue/security/advisories/GHSA-vw5p-8cq8-m7mv
- https://github.com/sveltejs/devalue
- https://github.com/sveltejs/devalue/commit/e46afa64dd2b25aa35fb905ba5d20cea63aabbf7
- https://osv.dev/vulnerability/GHSA-vw5p-8cq8-m7mv
- https://github.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4
What are Similar Vulnerabilities to CVE-2026-22774?
Similar Vulnerabilities: CVE-2026-22775 , CVE-2022-24756 , CVE-2020-8116 , CVE-2023-45133 , CVE-2022-21671
