96 matches found
CVE-2026-22774
CVE-2026-22774 affects the Svelte devalue library. From versions 5.3.0 through 5.6.1, certain inputs trigger devalue.parse to consume excessive CPU time and memory when processing untrusted data, potentially causing denial of service. Root cause: typed array hydration assumes an ArrayBuffer input...
CVE-2026-22774
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse inpu...
CVE-2026-22774 devalue vulnerable to denial of service due to memory exhaustion in devalue.parse
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse inpu...
Asymmetric Resource Consumption (Amplification)
Overview devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Asymmetric Resource Consumption Amplification due to the improper ArrayBuffer type validation in the...
@deno/sandbox (>=0.0.9 <=0.6.0), @ekairos/dataset (>=1.21.56-beta.0 <=1.22.34-beta.development.0) +34 more potentially affected by CVE-2026-22774 via devalue (>=5.3.2 <=5.6.0)
devalue NPM version =5.3.2, =0.0.9, =1.21.56-beta.0, =1.22.4-beta.development.0, =1.21.56-beta.0, =1.21.67-beta.0, =1.21.88-beta.0, =0.0.0-dev-20260121145510, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =0.0.1, =0.1.0, =0.1.0, =0.1.0, =0.3.4, =0.20.48 and more...
@deno/sandbox (>=0.0.9 <=0.6.0), @ekairos/dataset (>=1.21.56-beta.0 <=1.22.34-beta.development.0) +34 more potentially affected by CVE-2026-22774 via devalue (>=5.3.2 <=5.6.0)
devalue NPM version =5.3.2, =0.0.9, =1.21.56-beta.0, =1.22.4-beta.development.0, =1.21.56-beta.0, =1.21.67-beta.0, =1.21.88-beta.0, =0.0.0-dev-20260121145510, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =0.0.1, =0.1.0, =0.1.0, =0.1.0, =0.3.4, =0.20.48 and more...
PT-2026-3092
Name of the Vulnerable Software and Affected Versions Svelte devalue versions 5.3.0 through 5.6.1 Description Certain inputs can cause the devalue.parse function to consume excessive CPU time and/or memory, potentially leading to a denial of service in systems that parse input from untrusted...
PT-2026-3093
Name of the Vulnerable Software and Affected Versions Svelte devalue versions 5.1.0 through 5.6.1 Description Certain inputs can cause the devalue.parse function to consume excessive CPU time and/or memory, potentially leading to a denial of service. This affects applications using devalue.parse ...
EUVD-2019-0580
Malware in sbrugna...
EUVD-2025-25863
Malicious code in bioql PyPI...
Prototype Pollution
devalue is vulnerable to prototype pollution. The vulnerability is due to devalue.parse not validating that an index is numeric, which allows an attacker to pass a crafted string with a proto property to assign prototypes to objects and properties...
CVE-2025-59414
Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specifi...
CVE-2025-59414 Nuxt Client-Side Path Traversal in Nuxt Island Payload Revival
Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specifi...
CVE-2025-57820
Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a proto property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties, leading to prototype...
CVE-2025-57820
Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a proto property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties, leading to prototype...
CVE-2025-57820 Svelte devalue vulnerable to prototype pollution
Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a proto property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties, leading to prototype...
CVE-2025-57820
CVE-2025-57820 affects the JavaScript library devalue (used with Svelte). Prior to version 5.3.2, parsing payloads with devalue.parse could allow a proto property and non-numeric indices to be treated in dangerous ways, enabling prototype pollution on objects via the prototype chain. The issue is...
CVE-2025-57820 Svelte devalue vulnerable to prototype pollution
Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a proto property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties, leading to prototype...
CVE-2025-57820 Svelte devalue vulnerable to prototype pollution
Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a proto property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties, leading to prototype...
Prototype Pollution
Overview devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Prototype Pollution via the parse function. An attacker can manipulate object prototypes or assign...