Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.7
Sveltejs devalue functions can pollute object prototypes
GHSA-mwv9-gp5h-frr4
Summary
Using Sveltejs's devalue functions can create objects with properties that can be inherited by other objects, potentially allowing malicious code to be executed if downstream code handles objects incorrectly. This is not a security vulnerability in itself, but it can lead to problems if not handled carefully. To avoid issues, review downstream code that uses objects created with devalue functions and ensure they are handled properly.
What to do
- Update devalue to version 5.6.4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | devalue | <= 5.6.3 | 5.6.4 |
Original title
Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties
Original description
In some circumstances, `devalue.parse` and `devalue.unflatten` could emit objects with `__proto__` own properties. This in and of itself is not a security vulnerability (and is possible with, for example, `JSON.parse` as well), but it can result in prototype injection if _downstream_ code handles it incorrectly:
```ts
const result = devalue.parse(/* input creating an object with a __proto__ property */);
const target = {};
Object.assign(target, result); // target's prototype is now polluted
```
```ts
const result = devalue.parse(/* input creating an object with a __proto__ property */);
const target = {};
Object.assign(target, result); // target's prototype is now polluted
```
ghsa CVSS4.0
2.7
Vulnerability type
CWE-1321
Prototype Pollution
Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 12 Mar 2026