CVE-2025-57820

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-57820

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-57820.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-57820

Aliases

GHSA-vj54-72f3-p5jv

Published

2025-08-26T23:15:35Z

Modified

2025-08-27T09:50:45.781974Z

Summary

[none]

Details

Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a proto property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties, leading to prototype pollution. This issue has been fixed in version 5.3.2

References

Affected packages

Git / github.com/sveltejs/devalue

Affected ranges

Type: GIT
Repo: https://github.com/sveltejs/devalue
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0623a47c9555b639c03ff1baea82951b2d9d1132

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.1.0

v1.1.1

v2.*

v2.0.0

v2.0.1

v3.*

v3.0.1

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v4.*

v4.0.0

v4.0.1

v4.1.0

v4.2.0

v4.2.1

v4.2.2

v4.2.3

v4.3.0

v4.3.1

v4.3.2

v4.3.3

v5.*

v5.0.0

v5.1.0

v5.1.1

v5.3.0

v5.3.1