Description
devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption.
Recommendation
Update the devalue package to the latest compatible version. Followings are version details:
- Affected version(s): >= 5.6.3, <= 5.8.0
- Patched version(s): 5.8.1
References
Related Issues
- Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS - CVE-2026-2581
- Svelte affected by cross-site scripting via spread attributes in Svelte SSR - CVE-2026-27121
- seroval Affected by Remote Code Execution via JSON Deserialization - CVE-2026-23737
- Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value - CVE-2026-34595
You might also like:
- Tags:
- npm
- devalue
Anything's wrong? Let us know Last updated on May 15, 2026


