{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-42570/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["devalue"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","cve-2026-42570"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe \u003ccode\u003edevalue\u003c/code\u003e package, versions 5.6.3 through 5.8.0, is susceptible to a denial-of-service (DoS) vulnerability. The \u003ccode\u003edevalue.parse\u003c/code\u003e function, when processing crafted inputs, can be tricked into allocating significantly more memory than necessary when deserializing sparse arrays. This behavior stems from quirks in certain JavaScript engines and can lead to excessive memory consumption, potentially crashing the application or server. This vulnerability is identified as CVE-2026-42570 and can be exploited remotely without authentication or user interaction. The vulnerability was patched in version 5.8.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious payload containing a specially designed sparse array.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious payload to a server or application that uses the vulnerable \u003ccode\u003edevalue\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eThe application calls \u003ccode\u003edevalue.parse\u003c/code\u003e to deserialize the payload.\u003c/li\u003e\n\u003cli\u003eDue to the structure of the sparse array, the JavaScript engine begins allocating large amounts of memory.\u003c/li\u003e\n\u003cli\u003eMemory consumption increases rapidly, potentially exhausting available resources.\u003c/li\u003e\n\u003cli\u003eThe application or server becomes unresponsive due to the memory pressure.\u003c/li\u003e\n\u003cli\u003eThe application crashes or the server experiences a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a denial-of-service condition, rendering the affected application or server unavailable. While the precise number of affected systems is unknown, any application utilizing the vulnerable versions of \u003ccode\u003edevalue\u003c/code\u003e is potentially at risk. The high CVSS score reflects the ease of exploitation and the potential for significant impact on availability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003edevalue\u003c/code\u003e package to version 5.8.1 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor application resource consumption (memory, CPU) for unexpected spikes, especially after processing external data.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious devalue.parse Usage\u003c/code\u003e to identify potential exploitation attempts in your environment.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting and input validation to prevent excessive or malformed data from reaching the \u003ccode\u003edevalue.parse\u003c/code\u003e function.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T20:27:05Z","date_published":"2026-05-14T20:27:05Z","id":"https://feed.craftedsignal.io/briefs/2026-05-devalue-dos/","summary":"The `devalue` package is vulnerable to a denial-of-service (DoS) attack (CVE-2026-42570) due to excessive memory allocation during sparse array deserialization via `devalue.parse`, affecting versions 5.6.3 through 5.8.0.","title":"Svelte devalue Denial-of-Service via Sparse Array Deserialization (CVE-2026-42570)","url":"https://feed.craftedsignal.io/briefs/2026-05-devalue-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-42570","version":"https://jsonfeed.org/version/1.1"}