Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.1
Untrusted data can create unexpected objects with eval
GHSA-8qm3-746x-r74r
Summary
When untrusted data is passed to the uneval() function, it can produce code that creates objects with unexpected properties when evaluated. This can lead to unexpected behavior in the affected software. Users should be cautious when handling untrusted data and consider using safer alternatives to eval().
What to do
- Update GitHub Actions devalue to version 5.6.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| GitHub Actions | devalue | <= 5.6.2 | 5.6.3 |
Original title
devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed
Original description
Under certain circumstances, `uneval`ing untrusted data can produce output code that will create objects with polluted prototypes when later `eval`ed, meaning the output data can be a different shape from the input data.
ghsa CVSS4.0
2.1
Vulnerability type
CWE-1321
Prototype Pollution
Published: 19 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026