CVE-2026-22775
Denial of Service vulnerability in devalue (npm)
What is CVE-2026-22775 About?
This vulnerability is a Denial of Service (DoS) in `devalue.parse` due to excessive CPU/memory consumption. It allows attackers to trigger DoS by providing specially crafted inputs that lead to disproportionate resource use. Exploitation is relatively easy as it primarily involves sending malicious input to affected systems.
Affected Software
Technical Details
The devalue.parse function, when processing ArrayBuffer hydration, expects base64 encoded strings but fails to validate this assumption before decoding the input. Attackers can leverage this by sending malformed or oversized inputs that are not properly base64 encoded, causing the parser to attempt decoding invalid data or allocate excessive memory and CPU resources during processing. This unchecked input processing results in significant resource exhaustion, leading to a denial of service for any system parsing input from untrusted sources.
What is the Impact of CVE-2026-22775?
Successful exploitation may allow attackers to disrupt services, make systems unresponsive, or crash applications, leading to a denial of service.
What is the Exploitability of CVE-2026-22775?
Exploitation of this vulnerability is relatively straightforward, requiring no authentication or elevated privileges. An attacker can exploit this remotely by sending specially crafted inputs to a system that uses devalue.parse on externally supplied data. The complexity is low as it relies on the parser's mishandling of specific input types, specifically related to ArrayBuffer hydration. There are no significant constraints other than the target system's use of the vulnerable devalue.parse component, increasing the likelihood of successful exploitation against vulnerable applications.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-22775?
Available Upgrade Options
- devalue
- >=5.1.0, <5.6.2 → Upgrade to 5.6.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2026-22775
- https://github.com/sveltejs/devalue/releases/tag/v5.6.2
- https://github.com/sveltejs/devalue/security/advisories/GHSA-g2pg-6438-jwpf
- https://github.com/sveltejs/devalue
- https://osv.dev/vulnerability/GHSA-g2pg-6438-jwpf
- https://github.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4
- https://github.com/sveltejs/devalue/security/advisories/GHSA-g2pg-6438-jwpf
- https://github.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4
- https://github.com/sveltejs/devalue/releases/tag/v5.6.2
What are Similar Vulnerabilities to CVE-2026-22775?
Similar Vulnerabilities: CVE-2026-22774 , CVE-2022-24756 , CVE-2020-8116 , CVE-2023-45133 , CVE-2022-21671
