Description
Under certain circumstances, serializing sparse arrays using uneval or stringify could cause CPU and/or memory exhaustion. When this occurs on the server, it results in a DoS.
Recommendation
Update the devalue package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.6.2
- Patched version(s): 5.6.3
References
Related Issues
- devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse - CVE-2026-22775
- @sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sve - CVE-2026-22803
- Devalue is vulnerable to denial of service due to memory exhaustion in devalue.parse - CVE-2026-22774
- node-opcua DoS vulnerability via message with memory allocation that exceeds v8's memory limit - CVE-2022-25231
- Tags:
- npm
- devalue
Anything's wrong? Let us know Last updated on February 19, 2026