CVE-2026-22775
Published: 15 January 2026
Summary
CVE-2026-22775 is a high-severity Amplification (CWE-405) vulnerability in Svelte Devalue. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 12.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-6 (Resource Availability).
Deeper analysis
CVE-2026-22775 is a denial-of-service vulnerability in the Svelte devalue JavaScript library, which serializes values into strings beyond the capabilities of JSON.stringify. Versions 5.1.0 through 5.6.1 are affected, where certain inputs to devalue.parse can trigger excessive CPU time and memory consumption. The root cause lies in the ArrayBuffer hydration logic, which assumes base64-encoded string input without validation prior to decoding, impacting applications that process externally supplied data with devalue.parse. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is classified under CWE-405 (Asymmetric Resource Consumption, or resource exhaustion).
Attackers can exploit this vulnerability remotely without authentication or user interaction by providing specially crafted inputs to any application endpoint that invokes devalue.parse on untrusted data. Successful exploitation leads to resource exhaustion, causing denial of service through high CPU and memory usage on the targeted system. No privileges are required, making it accessible to unauthenticated network adversaries.
Mitigation is available in devalue version 5.6.2, which addresses the issue via a fix detailed in the project's GitHub commit (11755849fa0634ae294a15ec0aef2f43efcad7c4), release notes (v5.6.2), and security advisory (GHSA-g2pg-6438-jwpf). Security practitioners should upgrade affected applications to the patched version and audit usage of devalue.parse with untrusted inputs.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2680
Vulnerability details
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service…
more
in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. This vulnerability is fixed in 5.6.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables application-layer resource exhaustion DoS via remote exploitation of unvalidated input in devalue.parse (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Installing the patched devalue version 5.6.2 directly remediates the ArrayBuffer hydration flaw causing excessive CPU and memory consumption.
Validating externally supplied inputs to devalue.parse for expected formats like base64 prevents malformed data from triggering resource exhaustion.
Resource allocation controls and monitoring mitigate the denial-of-service impact from high CPU and memory usage exploited via untrusted inputs.