CVEs Affecting the Svelte Ecosystem

Summary

We’ve released patches for 5 vulnerabilities across devalue, svelte, @sveltejs/kit, and @sveltejs/adapter-node. Here’s what you need to know: Upgrade nowIf you’re using any of these packages, upgrade them to their corresponding non-vulnerable versions: devalue: 5.6.2 svelte: 5.46.4 @sveltejs/kit: 2.49.5 @sveltejs/adapter-node: 5.5.1 For cross-dependent packages — svelte and @sveltejs/kit depend on devalue — patched versions already include upgraded dependencies. We’re extremely thankful to all of the security researchers who responsibly disclosed these vulnerabilities and worked with us to get them fixed, to the security team at Vercel who helped us navigate the disclosure process, and to the maintainers who worked to publish the fixes. Over the last few weeks, we’ve seen a spate of high profile vulnerabilities affecting popular tools across the web development ecosystem. While they are unfortunate, it has been encouraging to see the community pulling together to keep end users safe. Using the lessons learned from these vulnerabilities, we will invest in processes that will help catch future bugs during the writing and review phases, before they go live. If you think you have discovered a vulnerability in a package maintained by the Svelte team, we urge you to privately report it via the Security tab on the repo in question (or the Svelte repo, if unsure). DetailsFull reports are available in the published security advisories, but we’ve included a brief summary of each below. CVE-2026-22775: DoS in devalue.parse due to memory/CPU exhaustion Packages affected: You’re affected if: You’re using devalue versions 5.1.0 through 5.6.1, and You’re parsing user-controlled input Effects: A malicious payload can cause arbitrarily large memory allocation, potentially crashing the process SvelteKit applications using remote functions are vulnerable, as the parameters are run through devalue.parse If you don’t have remote functions enabled, SvelteKit is not vulnerable CVE-2026-22...