CVE-2025-57820

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-57820

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-57820.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-57820

Aliases

GHSA-vj54-72f3-p5jv

Published

2025-08-26T22:33:19.100Z

Modified

2026-04-02T12:55:44.299309Z

Severity

7.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H CVSS Calculator

Summary

Svelte devalue vulnerable to prototype pollution

Details

Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a proto property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties, leading to prototype pollution. This issue has been fixed in version 5.3.2

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/57xxx/CVE-2025-57820.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1321"
    ]
}

References

Affected packages

Git / github.com/sveltejs/devalue

Affected ranges

Type: GIT
Repo: https://github.com/sveltejs/devalue
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

86a6a66d2c830514e94326a0f8fa2d8d670eac8a

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.1.0

v1.1.1

v2.*

v2.0.0

v2.0.1

v3.*

v3.0.1

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v4.*

v4.0.0

v4.0.1

v4.1.0

v4.2.0

v4.2.1

v4.2.2

v4.2.3

v4.3.0

v4.3.1

v4.3.2

v4.3.3

v5.*

v5.0.0

v5.1.0

v5.1.1

v5.3.0

v5.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-57820.json"