devalue has prototype pollution in devalue.parse and devalue.unflatten
- Severity:
- Medium
Description
In devalue v5.6.3, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion.
Recommendation
Update the devalue package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.6.4
- Patched version(s): 5.6.4
References
Related Issues
- Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
- Parse Server vulnerable to schema poisoning via prototype pollution in deep copy - CVE-2026-32878
- Bun has an Application-level Prototype Pollution vulnerability in the runtime native API for Glo - CVE-2024-21548
- parse is vulnerable to prototype pollution - CVE-2025-57324
- Tags:
- npm
- devalue
Anything's wrong? Let us know Last updated on March 12, 2026