devalue has prototype pollution in devalue.parse and devalue.unflatten

Description

In devalue v5.6.3, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion.

Recommendation

Update the devalue package to the latest compatible version. Followings are version details:

• Affected version(s): < 5.6.4
• Patched version(s): 5.6.4

References

• GHSA-cfw5-2vxh-hr84
• CVE-2026-30226
• CWE-1321
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
• Parse Server vulnerable to schema poisoning via prototype pollution in deep copy - CVE-2026-32878
• Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking - CVE-2026-42264
• Velocity.js has a Prototype Pollution vulnerability through #set path assignment - CVE-2026-44966

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

devalue