CVE-2025-57820 | THREATINT

Description

Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a __proto__ property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties, leading to prototype pollution. This issue has been fixed in version 5.3.2

PUBLISHED Reserved 2025-08-20 | Published 2025-08-26 | Updated 2025-08-27 | Assigner GitHub_M

HIGH: 7.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Problem types

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Product status

< 5.3.2

affected

References

github.com/...evalue/security/advisories/GHSA-vj54-72f3-p5jv

github.com/...ommit/0623a47c9555b639c03ff1baea82951b2d9d1132

cve.org (CVE-2025-57820)

nvd.nist.gov (CVE-2025-57820)

Download JSON