Prototype Pollution in Sveltejs Devalue

CVE-2025-57820

Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a __proto__ property and devalue.parse does not check that an index is numeric. This could result in assigning pro…

Vulnerability class: Prototype Pollution

EPSS: 0.002 (37.3th percentile) — read the EPSS interpretation.

Affected products

Sveltejs Devalue — versions < 5.3.2

Weakness classification (CWE)

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

References

https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv (x_refsource_CONFIRM)
https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132 (x_refsource_MISC)