CVE-2025-57820
7.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
Summary
Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a proto property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties, leading to prototype pollution. This issue has been fixed in version 5.3.2
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| sveltejs | devalue | < 5.3.2 | affected |
Weaknesses
- CWE-1321: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv
- https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.