Svelte devalue, Prototype Pollution, CVE-2025-57820 & CVE-2026-30226 (High)

Listen to this Post

The vulnerabilities in devalue allow prototype pollution through two distinct vectors. First, when `devalue.parse` or `devalue.unflatten` processes a crafted string, it can create objects with a `__proto__` own property, similar to how `JSON.parse` behaves. While this alone isn’t a vulnerability, it becomes dangerous when downstream code like `Object.assign()` merges this object into another, polluting the target’s prototype. The second vector involves array prototype pollution where `devalue.parse` fails to validate that indices are numeric, allowing attackers to assign array prototype methods like `push` or `toString` to object properties. Successful exploitation can lead to Denial of Service (DoS), type confusion, or property overwrites. These issues affect devalue versions prior to 5.3.2 (for CVE-2025-57820) and versions up to 5.6.3 (for CVE-2026-30226), with fixes implemented in versions 5.3.2 and 5.6.4 respectively .

dailycve form:

Platform: Svelte devalue
Version: v5.3.2 & v5.6.3
Vulnerability: Prototype Pollution
Severity: High (7.9 CVSS)
date: August 26, 2025

Prediction: Patch already available

What Undercode Say:

Analytics:

The vulnerability stems from insufficient input validation in the deserialization logic. Both `devalue.parse` and `devalue.unflatten` fail to sanitize `__proto__` keys and do not verify that array indices are numeric before assignment. This creates two attack surfaces: prototype inheritance pollution and array method hijacking. The CWE-1321 classification indicates improper control of object prototype attributes . CVSS 4.0 scores range from 6.3 to 7.9, with attack vectors being network-based, requiring no privileges, and no user interaction . The vulnerability affects approximately 27 live websites in the wild, with highest concentration in the United States (8 sites) and Denmark (6 sites) .

Exploit:

Example of <strong>proto</strong> pollution payload
const payload = '[{"x":1,"y":2,"<strong>proto</strong>":4},3,4,"nope",["Vector",5],[6,7],8,9]';
const result = devalue.parse(payload);
const target = {};
Object.assign(target, result); // Prototype pollution occurs
Array prototype method injection
const malicious = '[{"toString":"push"}]';
const polluted = devalue.parse(malicious);
polluted.toString(); // Returns 0 instead of "[object Object]"
Version check for vulnerable installations
npm list devalue
grep devalue package.json

Protection:

Upgrade to patched versions
npm install [email protected] For CVE-2025-57820 fix
npm install [email protected] For complete fix including CVE-2026-30226
Verify the fix
npm show devalue version
cat package-lock.json | grep devalue
Input validation workaround
function safeParse(input) {
if (input.includes('<strong>proto</strong>') || input.includes('constructor')) {
throw new Error('Potentially malicious input detected');
}
return devalue.parse(input);
}

Impact:

Remote attackers can pollute JavaScript object prototypes without authentication, leading to unexpected application behavior, denial of service, or type confusion attacks . Applications using devalue for serialization of untrusted input are most at risk. The vulnerability can bypass server-side validation when array prototype methods are injected into objects . Since devalue is a Svelte ecosystem library, any Svelte-based applications using vulnerable versions (v5.3.2 and earlier, or up to v5.6.3) are affected . The attack requires no user interaction and can be triggered via maliciously crafted serialized data .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top