Description
Style Dictionary, a build system for creating cross-platform styles, has a prototype pollution vulnerability starting in version 4.3.0 and prior to version 5.4.4. Impact users have: direct usage of `convertTokenData(tokens, { output: 'object' });`; indirect usage, via using Expand API; and/or indirect usage via SD's transform lifecycle. Impact is high for this when style-dictionary is used as an integration in a NodeJS server application. Impact is moderate for when style-dictionary is used as an integration in a Web application. Impact is low for most common cases where the user of style-dictionary also maintains the tokens, and access is limited via read/write access to the repository/workflows where it is used. A patch has been published in version `5.4.4`. The only known workaround is to sanitize token data first. Whether using DTCG format or old Style Dictionary format, check the token data object recursively for any object keys that include `__proto__`.
Published: 2026-06-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Style Dictionary’s convertTokenData utility is vulnerable to prototype pollution, a weakness that permits an attacker to inject arbitrary key/value pairs into JavaScript object prototypes. The flaw, identified as CWE‑1321, can modify the prototype chain of objects processed by the utility, potentially enabling the attacker to overwrite properties or cause unintended code execution during subsequent operations. The vulnerability becomes significant when a Node.js server application incorporates Style Dictionary to process token data that may originate from external or untrusted sources.

Affected Systems

Versions of Style Dictionary from 4.3.0 up to and including 5.4.3 are affected. The library, a Node.js build system for cross‑platform styles, is typically integrated into server‑side workflows or build pipelines, but may also be employed in front‑end build processes. The impact level varies: high when the library runs on a server, moderate when embedded in a web application, and lower when token data is carefully controlled by the user and limited to repository or workflow access.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that exploitation is currently not widespread. Nonetheless, the flaw can be exploited by supplying malicious token files or by manipulating pipelines that allow external modification of token objects, thereby affecting the runtime behavior of a Node.js context.

Generated by OpenCVE AI on June 24, 2026 at 09:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Style Dictionary to version 5.4.4 or later, where the prototype pollution bug has been fixed.
  • If an immediate upgrade is not possible, sanitize the token data object recursively before passing it to convertTokenData, ensuring no keys contain __proto__.
  • Where feasible, restrict or disable the Expand API and other conversion paths that involve untrusted input to minimize the attack surface.

Generated by OpenCVE AI on June 24, 2026 at 09:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Style-dictionary
Style-dictionary style-dictionary
Vendors & Products Style-dictionary
Style-dictionary style-dictionary

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Description Style Dictionary, a build system for creating cross-platform styles, has a prototype pollution vulnerability starting in version 4.3.0 and prior to version 5.4.4. Impact users have: direct usage of `convertTokenData(tokens, { output: 'object' });`; indirect usage, via using Expand API; and/or indirect usage via SD's transform lifecycle. Impact is high for this when style-dictionary is used as an integration in a NodeJS server application. Impact is moderate for when style-dictionary is used as an integration in a Web application. Impact is low for most common cases where the user of style-dictionary also maintains the tokens, and access is limited via read/write access to the repository/workflows where it is used. A patch has been published in version `5.4.4`. The only known workaround is to sanitize token data first. Whether using DTCG format or old Style Dictionary format, check the token data object recursively for any object keys that include `__proto__`.
Title Style Dictionary - Prototype Pollution in convertTokenData utility function
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Style-dictionary Style-dictionary
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T13:02:09.090Z

Reserved: 2026-06-15T20:07:02.186Z

Link: CVE-2026-54639

cve-icon Vulnrichment

Updated: 2026-06-24T13:02:04.319Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:05:20Z

Weaknesses
  • CWE-1321

    Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')