SB20260424110 - Multiple vulnerabilities in devalue

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improperly Controlled Modification of Dynamically-Determined Object Attributes (CVE-ID: N/A)

The vulnerability allows a remote attacker to inject properties into object prototypes.

The vulnerability exists due to improper control of dynamically determined object attributes in devalue.parse and devalue.unflatten when parsing input that creates objects with __proto__ own properties. A remote attacker can supply crafted input to inject properties into object prototypes.

Exploitation requires downstream code to handle the emitted object in an unsafe way, such as copying its properties into another object.

2) Prototype pollution (CVE-ID: CVE-2026-30226)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improperly controlled modification of object prototype attributes in devalue.parse and devalue.unflatten when parsing maliciously crafted payloads. A remote attacker can supply a specially crafted payload to cause a denial of service.

The issue may also lead to type confusion.

Remediation

Install update from vendor's website.

References

• https://github.com/sveltejs/devalue/security/advisories/GHSA-mwv9-gp5h-frr4
• https://github.com/sveltejs/devalue/security/advisories/GHSA-cfw5-2vxh-hr84
• https://github.com/advisories/GHSA-cfw5-2vxh-hr84