CVE-2026-22775
Published: 15 January 2026
Summary
CVE-2026-22775 is a high-severity Amplification (CWE-405) vulnerability in Svelte Devalue. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Reduces impact of amplification attacks that overwhelm the primary site by allowing operations to shift to an equivalent alternate site.
Alternate services reduce the impact of amplification attacks that exhaust primary telecommunications resources.
Amplification attacks that exhaust the primary path are mitigated by the existence of an independent alternate path for command traffic.
Employs controls that mitigate amplification attacks causing asymmetric resource use.
Limits amplification effects by controlling how resources are allocated under high-volume or recursive load.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables application-layer resource exhaustion DoS via remote exploitation of unvalidated input in devalue.parse (T1499.004).
NVD Description
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service…
more
in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. This vulnerability is fixed in 5.6.2.
Deeper analysisAI
CVE-2026-22775 is a denial-of-service vulnerability in the Svelte devalue JavaScript library, which serializes values into strings beyond the capabilities of JSON.stringify. Versions 5.1.0 through 5.6.1 are affected, where certain inputs to devalue.parse can trigger excessive CPU time and memory consumption. The root cause lies in the ArrayBuffer hydration logic, which assumes base64-encoded string input without validation prior to decoding, impacting applications that process externally supplied data with devalue.parse. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is classified under CWE-405 (Asymmetric Resource Consumption, or resource exhaustion).
Attackers can exploit this vulnerability remotely without authentication or user interaction by providing specially crafted inputs to any application endpoint that invokes devalue.parse on untrusted data. Successful exploitation leads to resource exhaustion, causing denial of service through high CPU and memory usage on the targeted system. No privileges are required, making it accessible to unauthenticated network adversaries.
Mitigation is available in devalue version 5.6.2, which addresses the issue via a fix detailed in the project's GitHub commit (11755849fa0634ae294a15ec0aef2f43efcad7c4), release notes (v5.6.2), and security advisory (GHSA-g2pg-6438-jwpf). Security practitioners should upgrade affected applications to the patched version and audit usage of devalue.parse with untrusted inputs.
Details
- CWE(s)