devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed

GHSA-8qm3-746x-r74r

Published Feb 19, 2026 · Modified Feb 22, 2026

Description

Under certain circumstances, unevaling untrusted data can produce output code that will create objects with polluted prototypes when later evaled, meaning the output data can be a different shape from the input data.

References

WEB https://github.com/sveltejs/devalue/security/advisories/GHSA-8qm3-746x-r74r
WEB https://github.com/sveltejs/devalue/commit/0f04d4d678eac39ad5d7a07d1956275d7874e81c
PACKAGE https://github.com/sveltejs/devalue
WEB https://github.com/sveltejs/devalue/releases/tag/v5.6.3

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes