Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties
- Severity:
- Low
Description
In some circumstances, devalue.parse and devalue.unflatten could emit objects with __proto__ own properties. This in and of itself is not a security vulnerability (and is possible with, for example, JSON.parse as well), but it can result in prototype injection if downstream code handles it incorrectly:
Recommendation
Update the devalue package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.6.3
- Patched version(s): 5.6.4
References
Related Issues
- devalue has prototype pollution in devalue.parse and devalue.unflatten - CVE-2026-30226
- devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed - Vulnerability
- Parse Server has an OAuth login vulnerability - CVE-2025-30168
- devalue prototype pollution vulnerability - CVE-2025-57820
- Tags:
- npm
- devalue
Anything's wrong? Let us know Last updated on March 12, 2026