Listen to this Post
The vulnerabilities in devalue allow prototype pollution through two distinct vectors. First, when `devalue.parse` or `devalue.unflatten` processes a crafted string, it can create objects with a `__proto__` own property, similar to how `JSON.parse` behaves. While this alone isn’t a vulnerability, it becomes dangerous when downstream code like `Object.assign()` merges this object into another, polluting the target’s prototype. The second vector involves array prototype pollution where `devalue.parse` fails to validate that indices are numeric, allowing attackers to assign array prototype methods like `push` or `toString` to object properties. Successful exploitation can lead to Denial of Service (DoS), type confusion, or property overwrites. These issues affect devalue versions prior to 5.3.2 (for CVE-2025-57820) and versions up to 5.6.3 (for CVE-2026-30226), with fixes implemented in versions 5.3.2 and 5.6.4 respectively .
dailycve form:
Platform: Svelte devalue
Version: v5.3.2 & v5.6.3
Vulnerability: Prototype Pollution
Severity: High (7.9 CVSS)
date: August 26, 2025
Prediction: Patch already available
What Undercode Say:
Analytics:
The vulnerability stems from insufficient input validation in the deserialization logic. Both `devalue.parse` and `devalue.unflatten` fail to sanitize `__proto__` keys and do not verify that array indices are numeric before assignment. This creates two attack surfaces: prototype inheritance pollution and array method hijacking. The CWE-1321 classification indicates improper control of object prototype attributes . CVSS 4.0 scores range from 6.3 to 7.9, with attack vectors being network-based, requiring no privileges, and no user interaction . The vulnerability affects approximately 27 live websites in the wild, with highest concentration in the United States (8 sites) and Denmark (6 sites) .
Exploit:
Example of <strong>proto</strong> pollution payload
const payload = '[{"x":1,"y":2,"<strong>proto</strong>":4},3,4,"nope",["Vector",5],[6,7],8,9]';
const result = devalue.parse(payload);
const target = {};
Object.assign(target, result); // Prototype pollution occurs
Array prototype method injection
const malicious = '[{"toString":"push"}]';
const polluted = devalue.parse(malicious);
polluted.toString(); // Returns 0 instead of "[object Object]"
Version check for vulnerable installations
npm list devalue
grep devalue package.json
Protection:
Upgrade to patched versions npm install [email protected] For CVE-2025-57820 fix npm install [email protected] For complete fix including CVE-2026-30226 Verify the fix npm show devalue version cat package-lock.json | grep devalue Input validation workaround function safeParse(input) { if (input.includes('<strong>proto</strong>') || input.includes('constructor')) { throw new Error('Potentially malicious input detected'); } return devalue.parse(input); }
Impact:
Remote attackers can pollute JavaScript object prototypes without authentication, leading to unexpected application behavior, denial of service, or type confusion attacks . Applications using devalue for serialization of untrusted input are most at risk. The vulnerability can bypass server-side validation when array prototype methods are injected into objects . Since devalue is a Svelte ecosystem library, any Svelte-based applications using vulnerable versions (v5.3.2 and earlier, or up to v5.6.3) are affected . The attack requires no user interaction and can be triggered via maliciously crafted serialized data .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

