CVE-2026-22774
Published: 15 January 2026
Summary
CVE-2026-22774 is a high-severity Amplification (CWE-405) vulnerability in Svelte Devalue. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Reduces impact of amplification attacks that overwhelm the primary site by allowing operations to shift to an equivalent alternate site.
Alternate services reduce the impact of amplification attacks that exhaust primary telecommunications resources.
Amplification attacks that exhaust the primary path are mitigated by the existence of an independent alternate path for command traffic.
Employs controls that mitigate amplification attacks causing asymmetric resource use.
Limits amplification effects by controlling how resources are allocated under high-volume or recursive load.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables application exploitation leading to resource exhaustion DoS via untrusted parse input.
NVD Description
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service…
more
in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2.
Deeper analysisAI
CVE-2026-22774 is a denial-of-service vulnerability in the Svelte devalue JavaScript library, which serializes values into strings beyond the capabilities of JSON.stringify. Versions 5.3.0 through 5.6.1 are affected, where certain inputs to devalue.parse can trigger excessive CPU time or memory consumption. The root cause lies in the typed array hydration logic, which assumes an ArrayBuffer input without validation before creating the typed array, leading to resource exhaustion. This issue, rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-405 (Asymmetric Resource Consumption), impacts applications that invoke devalue.parse on untrusted data.
Attackers can exploit this vulnerability remotely without authentication or user interaction by supplying specially crafted inputs to affected applications. Any unauthenticated network attacker targeting a system parsing external data with devalue.parse could induce denial of service through CPU or memory exhaustion, disrupting service availability without compromising confidentiality or integrity.
Mitigation is available via an upgrade to devalue version 5.6.2, which addresses the validation flaw. The Svelte devalue security advisory (GHSA-vw5p-8cq8-m7mv) details the issue, while the release notes and fixing commit (e46afa64dd2b25aa35fb905ba5d20cea63aabbf7) confirm the patch implementation.
Details
- CWE(s)