Description
devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption.
Recommendation
Update the devalue package to the latest compatible version. Followings are version details:
- Affected version(s): >= 5.6.3, <= 5.8.0
- Patched version(s): 5.8.1
References
Related Issues
- Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS - CVE-2026-2581
- Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State - CVE-2026-42573
- Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
- Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers - CVE-2026-27902
You might also like:
- Tags:
- npm
- devalue
Anything's wrong? Let us know Last updated on May 15, 2026