Devalue is vulnerable to denial of service due to memory exhaustion in devalue.parse

Severity:: High

Description

Certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data.

Recommendation

Update the devalue package to the latest compatible version. Followings are version details:

Affected version(s): >= 5.3.0, <= 5.6.1
Patched version(s): 5.6.2

References

GHSA-vw5p-8cq8-m7mv
CVE-2026-22774
CWE-20
CWE-405
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse - CVE-2026-22775
Parse Server: Denial of Service via unindexed database query for unconfigured auth providers - CVE-2026-33538
Cube Core is vulnerable to Denial of Service (DoS) via crafted request - CVE-2026-25957
Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer - CVE-2026-41680

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; devalue

Anything's wrong? Let us know Last updated on January 15, 2026