96 matches found
CVE-2026-42570
A flaw was found in devalue, a JavaScript library used for serializing values. Due to quirks in some JavaScript engines, the devalue.parse function could be exploited by a remote attacker when deserializing specially crafted sparse arrays. This could lead to excessive memory consumption, resultin...
CVE-2026-42570
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when...
EUVD-2026-35500
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when...
CVE-2026-42570 Svelte devalue: DoS via sparse array deserialization
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when...
CVE-2026-42570
CVE-2026-42570 affects the Svelte devalue library. devalue.parse could allocate excessive memory when deserializing sparse arrays in versions 5.6.3 through 5.8.0, due to engine quirks. The issue is fixed in version 5.8.1. Affected references include GitHub advisories GHSA-77vg-94rm-hx3p and OSV e...
CVE-2026-42570 Svelte devalue: DoS via sparse array deserialization
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when...
devalue 安全漏洞
devalue is an enhanced JavaScript object serialization library developed by Svelte. Versions of devalue from 5.6.3 to 5.8.1 contained a security vulnerability. This vulnerability stemmed from excessive memory allocation during the deserialization of sparse arrays, which could lead to excessive...
@agent-harness-experimental/workflow (>=0.0.1 <=0.0.5), @ai_kit/workflow-world (>=0.1.0 <=0.2.0) +50 more potentially affected by CVE-2026-42570 via devalue (=5.6.3)
devalue NPM version =5.6.3 is affected by a known vulnerability. The following packages have a transitive dependency on devalue and may be impacted: - @agent-harness-experimental/workflow =0.0.1, =0.1.0, =0.0.0-dev.20251108074143, =4.2.3, =3.8.8, =3.8.8, =3.8.7, =3.8.7, =0.1.1, =4.3.15, =0.2.0,...
Allocation of Resources Without Limits or Throttling
Overview devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the parse function. An attacker can cause...
GHSA-77VG-94RM-HX3P Svelte devalue: DoS via sparse array deserialization
devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption...
@agent-harness-experimental/workflow (>=0.0.1 <=0.0.5), @ai_kit/workflow-world (>=0.1.0 <=0.2.0) +50 more potentially affected by CVE-2026-42570 via devalue (=5.6.3)
devalue NPM version =5.6.3 is affected by a known vulnerability. The following packages have a transitive dependency on devalue and may be impacted: - @agent-harness-experimental/workflow =0.0.1, =0.1.0, =0.0.0-dev.20251108074143, =4.2.3, =3.8.8, =3.8.8, =3.8.7, =3.8.7, =0.1.1, =4.3.15, =0.2.0,...
org.webjars.npm:svelte (=5.53.12) potentially affected by CVE-2026-42570 via org.webjars.npm:devalue (=5.6.4)
org.webjars.npm:devalue MAVEN version =5.6.4 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:devalue and may be impacted: - org.webjars.npm:svelte =5.53.12 Source cves: CVE-2026-42570 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-16697434...
NPM: Svelte devalue: DoS via sparse array deserialization
NPM: Svelte devalue: DoS via sparse array deserialization vulnerability discovered by ? in WordPress Npm devalue versions = 5.6.3, = 5.8.0...
Allocation of Resources Without Limits or Throttling
Overview org.webjars.npm:devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the parse function. An attack...
Svelte devalue: DoS via sparse array deserialization
devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption...
PT-2026-41133
Name of the Vulnerable Software and Affected Versions devalue affected versions not specified Description The devalue.parse function may allocate excessive memory when deserializing sparse arrays due to specific behaviors in some JavaScript engines. This can lead to high memory consumption...
SUSE CVE-2026-30226
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could...
Improper Validation of Specified Type of Input
Overview devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input in the hydrate function that can accept proto keys...
@agent-harness-experimental/workflow (>=0.0.1 <=0.0.5), @ai_kit/workflow-world (>=0.1.0 <=0.2.0) +77 more potentially affected by unknown CVE via devalue (>=5.0.0 <=5.6.3)
devalue NPM version =5.0.0, =0.0.1, =0.1.0, =0.0.0-dev.20251108074143, =4.2.3, =3.8.8, =3.8.8, =3.8.7, =3.8.7, =0.1.1, =4.3.15, =0.2.0, =3.8.7, =0.2.0, =0.0.9, =1.22.40-beta.development.0, =1.22.85-beta.development.0 and more Source cves: unknown CVE Source advisory: SNYK:JS-DEVALUE-15479704...
@aabelmann/ui-layer (=0.0.1), @adinvadim/convex-vue (>=1.1.0 <=1.3.0) +734 more potentially affected by unknown CVE via devalue (>=4.0.1 <=5.6.3)
devalue NPM version =4.0.1, =1.1.0, =1.0.0, =0.0.1, =0.1.0, =0.2.2, =0.2.2, =0.2.2, =0.3.0, =0.5.7, =0.0.1-beta.3, =0.0.1-alpha.1, =0.0.17, =0.0.2, =0.0.10 and more Source cves: unknown CVE Source advisory: OSV:GHSA-MWV9-GP5H-FRR4...