96 matches found
CVE-2026-42570
A flaw was found in devalue, a JavaScript library used for serializing values. Due to quirks in some JavaScript engines, the devalue.parse function could be exploited by a remote attacker when deserializing specially crafted sparse arrays. This could lead to excessive memory consumption, resultin...
CVE-2026-42570
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when...
EUVD-2026-35500
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when...
CVE-2026-42570 Svelte devalue: DoS via sparse array deserialization
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when...
CVE-2026-42570 Svelte devalue: DoS via sparse array deserialization
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when...
CVE-2026-42570
CVE-2026-42570 affects the Svelte devalue library. devalue.parse could allocate excessive memory when deserializing sparse arrays in versions 5.6.3 through 5.8.0, due to engine quirks. The issue is fixed in version 5.8.1. Affected references include GitHub advisories GHSA-77vg-94rm-hx3p and OSV e...
devalue 安全漏洞
devalue is an enhanced JavaScript object serialization library developed by Svelte. Versions of devalue from 5.6.3 to 5.8.1 contained a security vulnerability. This vulnerability stemmed from excessive memory allocation during the deserialization of sparse arrays, which could lead to excessive...
@agent-harness-experimental/workflow (>=0.0.1 <=0.0.4), @commandkit/workflow (>=0.0.0-dev.20251108074143 <=1.2.1-dev.20260414125348) +48 more potentially affected by CVE-2026-42570 via devalue (=5.6.3)
devalue NPM version =5.6.3 is affected by a known vulnerability. The following packages have a transitive dependency on devalue and may be impacted: - @agent-harness-experimental/workflow =0.0.1, =0.0.0-dev.20251108074143, =4.2.3, =3.8.8, =3.8.8, =3.8.7, =3.8.7, =0.1.1, =4.3.15, =0.2.0, =3.8.7,...
NPM: Svelte devalue: DoS via sparse array deserialization
NPM: Svelte devalue: DoS via sparse array deserialization vulnerability discovered by ? in WordPress Npm devalue versions = 5.6.3, = 5.8.0...
@agent-harness-experimental/workflow (>=0.0.1 <=0.0.4), @commandkit/workflow (>=0.0.0-dev.20251108074143 <=1.2.1-dev.20260414125348) +48 more potentially affected by CVE-2026-42570 via devalue (=5.6.3)
devalue NPM version =5.6.3 is affected by a known vulnerability. The following packages have a transitive dependency on devalue and may be impacted: - @agent-harness-experimental/workflow =0.0.1, =0.0.0-dev.20251108074143, =4.2.3, =3.8.8, =3.8.8, =3.8.7, =3.8.7, =0.1.1, =4.3.15, =0.2.0, =3.8.7,...
Allocation of Resources Without Limits or Throttling
Overview devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the parse function. An attacker can cause...
org.webjars.npm:svelte (=5.53.12) potentially affected by CVE-2026-42570 via org.webjars.npm:devalue (=5.6.4)
org.webjars.npm:devalue MAVEN version =5.6.4 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:devalue and may be impacted: - org.webjars.npm:svelte =5.53.12 Source cves: CVE-2026-42570 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-16697434...
GHSA-77VG-94RM-HX3P Svelte devalue: DoS via sparse array deserialization
devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption...
Svelte devalue: DoS via sparse array deserialization
devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption...
Allocation of Resources Without Limits or Throttling
Overview org.webjars.npm:devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the parse function. An attack...
PT-2026-41133
Name of the Vulnerable Software and Affected Versions devalue affected versions not specified Description The devalue.parse function may allocate excessive memory when deserializing sparse arrays due to specific behaviors in some JavaScript engines. This can lead to high memory consumption...
SUSE CVE-2026-30226
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could...
@aabelmann/ui-layer (=0.0.1), @adinvadim/convex-vue (>=1.1.0 <=1.3.0) +753 more potentially affected by unknown CVE via devalue (>=4.0.1 <=5.6.3)
devalue NPM version =4.0.1, =1.1.0, =1.0.4, =1.0.0, =1.0.0, =1.0.0, =0.0.1, =0.2.2, =0.2.2, =0.2.2, =0.3.0, =0.5.7, =0.0.1-beta.3, =0.0.1-alpha.1, =0.0.1-alpha.4 and more Source cves: unknown CVE Source advisory: OSV:GHSA-MWV9-GP5H-FRR4...
GHSA-MWV9-GP5H-FRR4 Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties
In some circumstances, devalue.parse and devalue.unflatten could emit objects with proto own properties. This in and of itself is not a security vulnerability and is possible with, for example, JSON.parse as well, but it can result in prototype injection if downstream code handles it incorrectly:...
Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties
In some circumstances, devalue.parse and devalue.unflatten could emit objects with proto own properties. This in and of itself is not a security vulnerability and is possible with, for example, JSON.parse as well, but it can result in prototype injection if downstream code handles it incorrectly:...