Description
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion. This vulnerability is fixed in 5.6.4.
Published: 2026-03-11
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service / Type Confusion
Action: Patch
AI Analysis

Impact

Prototype pollution vulnerability in Svelte devalue’s parse and unflatten functions allows maliciously crafted payloads to overwrite objects on the prototype chain. This can result in denial of service by breaking the library’s logic or type confusion that may lead to incorrect type handling within applications that rely on devalue for serialization and deserialization. The weakness is identified as CWE-1321 (Prototype Pollution) and CWE-843 (Type Confusion).

Affected Systems

The vulnerability affects the Svelte JavaScript library devalue, specifically versions v5.6.3 and all earlier releases. The affected package is identified by the CPE cpe:2.3:a:svelte:devalue:*:*:*:*:*:node.js:*. Users employing these versions should consider upgrading to a patched release.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, while an EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The CVE is not listed in CISA’s Known Exploited Vulnerabilities catalog, further implying limited active exploitation. A potential attacker would need to deliver a specially crafted payload to devalue.parse or devalue.unflatten, which typically involves JavaScript code execution within a Node.js environment or a front‑end application that uses devalue. The risk can be mitigated by applying the vendor’s patch or by restricting the use of these functions to trusted input only.

Generated by OpenCVE AI on March 17, 2026 at 20:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade sveltejs devalue to version 5.6.4 or later
  • Validate or sanitize any data before passing to devalue.parse or devalue.unflatten if upgrade is not feasible

Generated by OpenCVE AI on March 17, 2026 at 20:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cfw5-2vxh-hr84 devalue has prototype pollution in devalue.parse and devalue.unflatten
History

Tue, 17 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:svelte:devalue:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-843
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Svelte
Svelte devalue
Vendors & Products Svelte
Svelte devalue

Wed, 11 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion. This vulnerability is fixed in 5.6.4.
Title devalue has prototype pollution in devalue.parse and devalue.unflatten
Weaknesses CWE-1321
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Svelte Devalue
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T13:51:34.208Z

Reserved: 2026-03-04T17:23:59.797Z

Link: CVE-2026-30226

cve-icon Vulnrichment

Updated: 2026-03-12T13:51:30.426Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T18:16:22.937

Modified: 2026-03-17T19:07:28.660

Link: CVE-2026-30226

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-11T17:47:40Z

Links: CVE-2026-30226 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:10Z

Weaknesses