CVE Catalog

CVE-2026-42570

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.38%

30th percentile - higher than 30% of all known CVEs

Summary

The Svelte devalue library in versions 5.6.3 through 5.8.0 contains a vulnerability that causes excessive memory consumption when deserializing sparse arrays. This is due to quirks in some JavaScript engines that may allocate more memory than needed.

Risk Assessment

An attacker can send a specially crafted string that, upon deserialization, causes excessive memory consumption, leading to resource exhaustion and potential denial of service (DoS).

Recommendation

Immediately update the Svelte devalue library to version 5.8.1 or later, which contains a fix for this vulnerability.

Original NVD description (English source)

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption. This issue has been patched in version 5.8.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS