devalue.parse and unflatten can be tricked, causing crashes or data corruption

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.3

devalue.parse and unflatten can be tricked, causing crashes or data corruption

CVE-2026-30226 GHSA-cfw5-2vxh-hr84

Summary

The devalue library's parse and unflatten functions can be exploited with malicious input, causing it to behave unexpectedly and potentially leading to crashes or data corruption. This could impact applications that use devalue to handle user input or data. To protect your application, consider updating to a fixed version of devalue or implementing input validation to prevent malicious data from causing harm.

What to do

Update devalue to version 5.6.4.

Affected software

Vendor	Product	Affected versions	Fix available
–	devalue	<= 5.6.4	5.6.4

Original title

devalue has prototype pollution in devalue.parse and devalue.unflatten

Original description

In devalue v5.6.3, `devalue.parse` and `devalue.unflatten` were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion.

nvd CVSS4.0 6.3

Vulnerability type

CWE-1321 Prototype Pollution

Published: 12 Mar 2026 · Updated: 14 Mar 2026 · First seen: 11 Mar 2026