devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed
- Severity:
- Low
Description
Under certain circumstances, unevaling untrusted data can produce output code that will create objects with polluted prototypes when later evaled, meaning the output data can be a different shape from the input data.
Recommendation
Update the devalue package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.6.2
- Patched version(s): 5.6.3
References
Related Issues
- Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties - Vulnerability
- Vega vulnerable to arbitrary code execution when clicking href links - Vulnerability
- discord-html not escaping HTML code blocks when lacking a language identifier - Vulnerability
- @saltcorn/plugins-loader unsanitized plugin name leads to a remote code execution (RCE) vulnerability when creating plug - Vulnerability
- Tags:
- npm
- devalue
Anything's wrong? Let us know Last updated on February 19, 2026