GHSA-77VG-94RM-HX3P Svelte devalue: DoS via sparse array deserialization

devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption...

Svelte devalue: DoS via sparse array deserialization

devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption...

Allocation of Resources Without Limits or Throttling

Overview devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the parse function. An attacker can cause...

123peterkim-minirpc (=0.0.1), @0x330a/wagmi-svelte5 (>=0.2.0 <=0.2.3) +1763 more potentially affected by CVE-2026-42570 via devalue (>=5.6.3 <=5.8.0)

devalue NPM version =5.6.3, =0.2.0, =0.0.1, =0.0.1, =0.0.1, =7.10.0, =7.10.0, =0.0.3, =0.2.0, =1.7.7, =2.0.6, =0.0.5, =16.0.0, =1.0.1, =1.1.19 and more Source cves: CVE-2026-42570 Source advisory: OSV:GHSA-77VG-94RM-HX3P...

Allocation of Resources Without Limits or Throttling

Overview org.webjars.npm:devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the parse function. An attack...

org.webjars.npm:svelte (=5.53.12) potentially affected by CVE-2026-42570 via org.webjars.npm:devalue (=5.6.4)

org.webjars.npm:devalue MAVEN version =5.6.4 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:devalue and may be impacted: - org.webjars.npm:svelte =5.53.12 Source cves: CVE-2026-42570 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-16697434...

NPM: Svelte devalue: DoS via sparse array deserialization

NPM: Svelte devalue: DoS via sparse array deserialization vulnerability discovered by ? in WordPress Npm devalue versions = 5.6.3, = 5.8.0...

123peterkim-minirpc (=0.0.1), @0x330a/wagmi-svelte5 (>=0.2.0 <=0.2.3) +1763 more potentially affected by CVE-2026-42570 via devalue (>=5.6.3 <=5.8.0)

devalue NPM version =5.6.3, =0.2.0, =0.0.1, =0.0.1, =0.0.1, =7.10.0, =7.10.0, =0.0.3, =0.2.0, =1.7.7, =2.0.6, =0.0.5, =16.0.0, =1.0.1, =1.1.19 and more Source cves: CVE-2026-42570 Source advisory: SNYK:JS-DEVALUE-16697433...

PT-2026-41133

Name of the Vulnerable Software and Affected Versions devalue affected versions not specified Description The devalue.parse function may allocate excessive memory when deserializing sparse arrays due to specific behaviors in some JavaScript engines. This can lead to high memory consumption...

SUSE CVE-2026-30226

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could...

GHSA-MWV9-GP5H-FRR4 Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties

In some circumstances, devalue.parse and devalue.unflatten could emit objects with proto own properties. This in and of itself is not a security vulnerability and is possible with, for example, JSON.parse as well, but it can result in prototype injection if downstream code handles it incorrectly:...

Improper Validation of Specified Type of Input

Overview devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input in the hydrate function that can accept proto keys...

@commandkit/workflow (>=0.0.0-dev.20251108074143 <=1.2.1-dev.20260414125348), @contractspec/app.cli-contractspec (>=4.2.3 <=6.3.4) +73 more potentially affected by unknown CVE via devalue (>=5.0.0 <=5.6.3)

devalue NPM version =5.0.0, =0.0.0-dev.20251108074143, =4.2.3, =3.8.8, =3.8.8, =3.8.7, =3.8.7, =0.1.1, =4.3.15, =0.2.0, =3.8.7, =0.2.0, =0.0.9, =1.22.40-beta.development.0, =1.21.56-beta.0, =1.8.5-beta.0, =1.17.0 and more Source cves: unknown CVE Source advisory: SNYK:JS-DEVALUE-15479704...

@aabelmann/ui-layer (=0.0.1), @adinvadim/convex-vue (>=1.1.0 <=1.3.0) +742 more potentially affected by unknown CVE via devalue (>=4.0.1 <=5.6.3)

devalue NPM version =4.0.1, =1.1.0, =1.0.4, =1.0.0, =1.0.0, =1.0.0, =0.2.2, =0.2.2, =0.2.2, =0.3.0, =0.5.7, =0.0.1-beta.3, =0.0.1-alpha.1, =0.0.17, =0.0.18 and more Source cves: unknown CVE Source advisory: OSV:GHSA-MWV9-GP5H-FRR4...

Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties

In some circumstances, devalue.parse and devalue.unflatten could emit objects with proto own properties. This in and of itself is not a security vulnerability and is possible with, for example, JSON.parse as well, but it can result in prototype injection if downstream code handles it incorrectly:...

0xrtest (=1.0.0), 3nit-utils (>=0.30.0 <=1.0.2) +1397 more potentially affected by CVE-2026-30226 via devalue (>=1.1.1 <=5.6.3)

devalue NPM version =1.1.1, =0.30.0, =0.0.0-canary.0, =0.0.11, =0.1.0, =1.1.0, =1.0.1, =1.1.0, =0.0.27, =1.0.4, =1.0.0, =1.0.1 and more Source cves: CVE-2026-30226 Source advisory: OSV:GHSA-CFW5-2VXH-HR84...

devalue has prototype pollution in devalue.parse and devalue.unflatten

In devalue v5.6.3, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service DoS or type confusion...

GHSA-CFW5-2VXH-HR84 devalue has prototype pollution in devalue.parse and devalue.unflatten

In devalue v5.6.3, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service DoS or type confusion...

CVE-2026-30226

A flaw was found in the Svelte devalue JavaScript library. A remote attacker could exploit a prototype pollution vulnerability by sending maliciously crafted payloads to the devalue.parse or devalue.unflatten functions. Successful exploitation of this flaw could lead to a Denial of Service DoS...

Prototype Pollution

Overview devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Prototype Pollution via the parse or unflatten functions. An attacker can manipulate object prototype...