Main Vulnerability Database Vulnerabilities #VU127521

Improperly Controlled Modification of Dynamically-Determined Object Attributes in devalue - #VU127521

Published: April 24, 2026

Vulnerability identifier: #VU127521

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-915

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Rich Harris

Affected software:
devalue

Detailed vulnerability description

The vulnerability allows a remote attacker to inject properties into object prototypes.

The vulnerability exists due to improper control of dynamically determined object attributes in devalue.parse and devalue.unflatten when parsing input that creates objects with __proto__ own properties. A remote attacker can supply crafted input to inject properties into object prototypes.

Exploitation requires downstream code to handle the emitted object in an unsafe way, such as copying its properties into another object.

Remediation

Install security update from vendor's website.

Sources

https://github.com/sveltejs/devalue/security/advisories/GHSA-mwv9-gp5h-frr4

Improperly Controlled Modification of Dynamically-Determined Object Attributes in devalue - #VU127521

Detailed vulnerability description

Remediation

Sources

Please verify you're human