CVE-2025-57820

HIGH

NPM Devalue < 5.3.2 - Prototype Pollution

Title source: rule

Description

Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a __proto__ property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties, leading to prototype pollution. This issue has been fixed in version 5.3.2

References (2)

[Vendor Advisory] https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv

[Patch] https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132

View Patch ZIP pw:eip

Scores

CVSS v4 7.9

EPSS 0.0013

EPSS Percentile 32.1%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (2)

npm/devalue 0 - 5.3.2npm

sveltejs/devalue < 5.3.2

Published Aug 26, 2025

Tracked Since Feb 18, 2026