CVE-2026-42570
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk30th percentile - higher than 30% of all known CVEs
Summary
The Svelte devalue library in versions 5.6.3 through 5.8.0 contains a vulnerability that causes excessive memory consumption when deserializing sparse arrays. This is due to quirks in some JavaScript engines that may allocate more memory than needed.
Risk Assessment
An attacker can send a specially crafted string that, upon deserialization, causes excessive memory consumption, leading to resource exhaustion and potential denial of service (DoS).
Recommendation
Immediately update the Svelte devalue library to version 5.8.1 or later, which contains a fix for this vulnerability.
Original NVD description (English source)
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption. This issue has been patched in version 5.8.1.

