devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed
- Severity:
- Low
Description
Under certain circumstances, unevaling untrusted data can produce output code that will create objects with polluted prototypes when later evaled, meaning the output data can be a different shape from the input data.
Recommendation
Update the devalue package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.6.2
- Patched version(s): 5.6.3
References
Related Issues
- discord-html not escaping HTML code blocks when lacking a language identifier - Vulnerability
- Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties - Vulnerability
- PsiTransfer: Upload PATCH path traversal can create `config.<NODE_ENV>.js` and lead to code execution on restart - CVE-2026-41180
- @saltcorn/plugins-loader unsanitized plugin name leads to a remote code execution (RCE) vulnerability when creating plug - Vulnerability
You might also like:
- Tags:
- npm
- devalue
Anything's wrong? Let us know Last updated on February 19, 2026