DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-MWV9-GP5H-FRR4: GHSA-mwv9-gp5h-frr4: Prototype Pollution Vector via Malformed Properties in devalue

#security #cve #cybersecurity #ghsa

GHSA-mwv9-gp5h-frr4: Prototype Pollution Vector via Malformed Properties in devalue

Vulnerability ID: GHSA-MWV9-GP5H-FRR4
CVSS Score: 5.3
Published: 2026-03-12

The devalue library prior to version 5.6.4 contains a prototype pollution vector within its deserialization routines. The parse and unflatten functions fail to validate property keys, allowing the instantiation of objects with __proto__ as an explicit own property. This behavior facilitates prototype pollution when the resulting objects are processed by applications using insecure recursive merge functions.

TL;DR

The devalue npm package (< 5.6.4) improperly parses objects containing __proto__ as an own property. This enables prototype pollution attacks if the resulting objects are processed by vulnerable merge logic in downstream applications.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1321
  • Attack Vector: Network
  • CVSS Base Score: 5.3
  • Impact: Integrity (Prototype Pollution), potential DoS/RCE
  • Exploit Status: Proof-of-Concept Available
  • CISA KEV: Not Listed

Affected Systems

  • devalue < 5.6.4
  • SvelteKit applications using vulnerable devalue versions
  • devalue: < 5.6.4 (Fixed in: 5.6.4)

Mitigation Strategies

  • Upgrade the devalue library to version 5.6.4 or higher to resolve the parser vulnerability.
  • Implement strict prototype-aware checks in all recursive deep merge functions used within the application.
  • Utilize Object.create(null) for dictionary objects to prevent prototype chain traversal during object manipulation.
  • Employ static analysis tools to identify vulnerable merge functions and outdated devalue dependencies in package-lock.json.

Remediation Steps:

  1. Identify all projects utilizing the devalue library directly or transitively via frameworks like SvelteKit.
  2. Execute dependency updates to ensure devalue is incremented to at least version 5.6.4 (e.g., npm install devalue@^5.6.4).
  3. Audit the codebase for custom recursive merge functions or assignments that iterate over object keys.
  4. Update custom merge functions to explicitly check for and skip the 'proto' key.
  5. Validate the mitigation by running test suites against the updated dependencies.

References

Read the full report for GHSA-MWV9-GP5H-FRR4 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)