CVE-2026-42570
HIGH 7.5Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption. This issue has been patched in version 5.8.1.
Severe if exploited (CVSS 7.5), but no known exploitation and low modeled probability. Patch on a normal cadence.
Exploitation likelihood
0.4%chance of exploitation in 30 days · 30th percentile
Impact if exploited
7.5CVSS 3.1 · HIGH
- ConfidentialityNone
- IntegrityNone
- AvailabilityHigh
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ✓Privileges: No account or privileges required
- ✓User interaction: No user interaction needed
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Affected
Products Devalue Red Hat Build Of Podman Desktop Red Hat Trusted Artifact Signer
Weakness (CWE)
- CWE-770: Allocation without limits
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
Technical & other
- https://github.com/sveltejs/devalue/security/advisories/GHSA-77vg-94rm-hx3p
- https://github.com/sveltejs/devalue/commit/206ca6712fbc380a4571c59de9ab04b91110792d
- https://github.com/sveltejs/devalue/releases/tag/v5.8.1
- https://access.redhat.com/security/cve/CVE-2026-42570
- https://bugzilla.redhat.com/show_bug.cgi?id=2487050
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42570.json