Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `proto` own properties

GHSA-mwv9-gp5h-frr4

Published Mar 12, 2026 · Modified May 14, 2026

Description

In some circumstances, devalue.parse and devalue.unflatten could emit objects with __proto__ own properties. This in and of itself is not a security vulnerability (and is possible with, for example, JSON.parse as well), but it can result in prototype injection if downstream code handles it incorrectly:

const result = devalue.parse(/* input creating an object with a __proto__ property */);
const target = {};
Object.assign(target, result); // target's prototype is now polluted

References

WEB https://github.com/sveltejs/devalue/security/advisories/GHSA-mwv9-gp5h-frr4
PACKAGE https://github.com/sveltejs/devalue
WEB https://github.com/sveltejs/devalue/releases/tag/v5.6.4

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes

Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties

Description

References

Start Securing

Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `proto` own properties