DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-22775: Devalue, Indeed: How a Simple Serializer Can Crash Your Svelte App

#security #cve #cybersecurity

Devalue, Indeed: How a Simple Serializer Can Crash Your Svelte App

Vulnerability ID: CVE-2026-22775
CVSS Score: 7.5
Published: 2026-01-15

A critical Denial of Service (DoS) vulnerability in the devalue library allows attackers to trigger massive memory allocations or stack overflows via malformed JSON input, crashing Node.js servers.

TL;DR

The devalue library, a staple in the Svelte ecosystem for serializing JS data, failed to validate types during hydration. By passing a massive integer length instead of an ArrayBuffer reference to a TypedArray constructor, an attacker can trick the server into allocating gigabytes of memory instantly. A separate vector allows for infinite recursion via circular references. Both lead to a process crash (DoS).

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-405 (Asymmetric Resource Consumption)
  • Attack Vector: Network (Remote)
  • CVSS: 7.5 (High)
  • Impact: Denial of Service (DoS)
  • Exploit Status: PoC Available
  • Affected Component: devalue.parse()

Affected Systems

  • SvelteKit Applications (Server-Side Rendering)
  • Node.js applications using devalue for serialization
  • Custom state hydration logic relying on devalue
  • devalue: >= 5.1.0, < 5.6.2 (Fixed in: 5.6.2)

Code Analysis

Commit: 1175584

Fix: hardening against DoS attacks via recursion and memory allocation

@@ -100,7 +100,14 @@
       case 'Int8Array':
       case 'Uint8Array':
-        return new constructors[type](hydrate(value[1]));
+        const bufferIndex = value[1];
+        if (values[bufferIndex][0] !== 'ArrayBuffer') throw new Error('Invalid data');
+        return new constructors[type](hydrate(bufferIndex));
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Research: JavaScript heap out of memory exploit via TypedArray length manipulation

Mitigation Strategies

  • Input Validation: Ensure strict type checking before object instantiation.
  • Resource Limits: Enforce memory limits on containerized Node.js processes.
  • Dependency Management: regularly audit and update deep dependencies.

Remediation Steps:

  1. Locate the devalue dependency in your project (often nested within SvelteKit).
  2. Run npm update devalue or yarn upgrade devalue.
  3. Verify the installed version is >= 5.6.2 using npm list devalue.

References

Read the full report for CVE-2026-22775 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)