devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse
- Severity:
- High
Description
Certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data.
Recommendation
Update the devalue package to the latest compatible version. Followings are version details:
- Affected version(s): >= 5.1.0, < 5.6.2
- Patched version(s): 5.6.2
References
Related Issues
- Devalue is vulnerable to denial of service due to memory exhaustion in devalue.parse - CVE-2026-22774
- Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - CVE-2026-34043
- Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
- jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder - CVE-2026-24133
- Tags:
- npm
- devalue
Anything's wrong? Let us know Last updated on January 15, 2026