Cyber Resilience

CVE-2026-22775

HighDDoS

Published: 15 January 2026

Published
15 January 2026
Modified
20 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0004 12.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22775 is a high-severity Amplification (CWE-405) vulnerability in Svelte Devalue. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 12.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-22775 is a denial-of-service vulnerability in the Svelte devalue JavaScript library, which serializes values into strings beyond the capabilities of JSON.stringify. Versions 5.1.0 through 5.6.1 are affected, where certain inputs to devalue.parse can trigger excessive CPU time and memory consumption. The root cause lies in the ArrayBuffer hydration logic, which assumes base64-encoded string input without validation prior to decoding, impacting applications that process externally supplied data with devalue.parse. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is classified under CWE-405 (Asymmetric Resource Consumption, or resource exhaustion).

Attackers can exploit this vulnerability remotely without authentication or user interaction by providing specially crafted inputs to any application endpoint that invokes devalue.parse on untrusted data. Successful exploitation leads to resource exhaustion, causing denial of service through high CPU and memory usage on the targeted system. No privileges are required, making it accessible to unauthenticated network adversaries.

Mitigation is available in devalue version 5.6.2, which addresses the issue via a fix detailed in the project's GitHub commit (11755849fa0634ae294a15ec0aef2f43efcad7c4), release notes (v5.6.2), and security advisory (GHSA-g2pg-6438-jwpf). Security practitioners should upgrade affected applications to the patched version and audit usage of devalue.parse with untrusted inputs.

EU & UK References

Vulnerability details

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service…

more

in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. This vulnerability is fixed in 5.6.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Directly enables application-layer resource exhaustion DoS via remote exploitation of unvalidated input in devalue.parse (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22774Same product: Svelte Devalue
CVE-2026-30226Same product: Svelte Devalue
CVE-2026-22803Same vendor: Svelte
CVE-2025-30204Shared CWE-405
CVE-2026-40074Same vendor: Svelte
CVE-2026-25611Shared CWE-405
CVE-2025-67647Same vendor: Svelte
CVE-2026-40073Same vendor: Svelte
CVE-2025-53633Shared CWE-405
CVE-2024-11187Shared CWE-405

Affected Assets

svelte
devalue
5.1.0 — 5.6.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Installing the patched devalue version 5.6.2 directly remediates the ArrayBuffer hydration flaw causing excessive CPU and memory consumption.

prevent

Validating externally supplied inputs to devalue.parse for expected formats like base64 prevents malformed data from triggering resource exhaustion.

preventdetect

Resource allocation controls and monitoring mitigate the denial-of-service impact from high CPU and memory usage exploited via untrusted inputs.

References