How is CVE-2026-42570 exploited?

Network reachability (required): The vulnerable deserialization path is exposed over the network, so an attacker must be able to send crafted input to the service from a remote network location. Authentication (not-required): No credentials or account of any kind are needed to send the malicious payload to the affected endpoint. Victim interaction (not-required): The attacker does not need any user or administrator to take an action; submitting the crafted input is sufficient to trigger the vulnerability. Attack complexity (info): Exploitation is reliable and condition-free; no race condition, memory layout dependency, or other environmental factor needs to be satisfied to trigger the excessive allocation.

What is the impact of CVE-2026-42570?

Triggers unbounded memory allocation inside the JavaScript engine process handling devalue.parse, consuming available heap until the process is killed or becomes unresponsive. Crashes or permanently degrades the affected Svelte application or API server, making it unavailable to legitimate users. In shared-runtime environments (for example, a Node.js server handling multiple tenants), a single malicious request can deny service to all concurrent users of that process.

Back to search

HIGHCVE-2026-42570Published 2026-06-09Modified 2026-06-09CNA GitHub_M

CVE-2026-42570: Svelte devalue: DoS via sparse array deserialization

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption. This issue has been patched in version 5.8.1.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A denial-of-service vulnerability exists in the Svelte devalue JavaScript library, affecting versions 5.6.3 through 5.8.1. The flaw is reachable over the network without any authentication, and exploits a quirk in certain JavaScript engines where deserializing a crafted sparse array causes devalue.parse to allocate far more memory than necessary, exhausting available memory on the host. Successful exploitation crashes or degrades the affected service. Note: the description states the issue has been patched in version 5.8.1, though no fix version has been formally published to the advisory record yet; HarborGuard is tracking the advisory for confirmed patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle the affected devalue package.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 (High) and weights it against each environment's compliance policy to determine ticket priority and routing, directing alerts to the appropriate team inbox within each customer organization.

Available

Patch

Because no fix version has been formally confirmed in the advisory record, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment a confirmed fix version is published. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that time.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable deserialization path is exposed over the network, so an attacker must be able to send crafted input to the service from a remote network location.
AuthenticationNot required
No credentials or account of any kind are needed to send the malicious payload to the affected endpoint.
Victim interactionNot required
The attacker does not need any user or administrator to take an action; submitting the crafted input is sufficient to trigger the vulnerability.
Attack complexityDetail
Exploitation is reliable and condition-free; no race condition, memory layout dependency, or other environmental factor needs to be satisfied to trigger the excessive allocation.

Blast Radius

Triggers unbounded memory allocation inside the JavaScript engine process handling devalue.parse, consuming available heap until the process is killed or becomes unresponsive.
Crashes or permanently degrades the affected Svelte application or API server, making it unavailable to legitimate users.
In shared-runtime environments (for example, a Node.js server handling multiple tenants), a single malicious request can deny service to all concurrent users of that process.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-42570 is active across all connected registries and pipelines, with matches surfaced within minutes of the advisory being ingested. Because no fix version is formally confirmed in the upstream advisory at this time, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is published. For customers with auto-remediation enabled, that moment triggers an automatic rebuild at the patched version, a regression-test run, and a PR opened against affected workloads. In the interim, consider applying network-policy controls to restrict which clients can submit deserialized payloads to services using devalue, and review whether input size or structure limits can be enforced at the API or reverse-proxy layer to reduce exposure to crafted sparse-array payloads.

See how HarborGuard automates this

Affected packages

sveltejs / devalue
>= 5.6.3, < 5.8.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified