Devalue is vulnerable to denial of service due to memory exhaustion in devalue.parse

Severity:: High

Description

Certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data.

Recommendation

Update the devalue package to the latest compatible version. Followings are version details:

Affected version(s): >= 5.3.0, <= 5.6.1
Patched version(s): 5.6.2

References

GHSA-vw5p-8cq8-m7mv
CVE-2026-22774
CWE-20
CWE-405
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse - CVE-2026-22775
pdfmake is vulnerable to Throttling via repeatedly redirecting URL in file embedding - CVE-2025-11362
devalue prototype pollution vulnerability - CVE-2025-57820
Nuxt MDC has an XSS vulnerability in markdown rendering that bypasses HTML filtering - CVE-2025-54075

Tags:: npm; devalue

Anything's wrong? Let us know Last updated on January 15, 2026