Skip to content

[GHSA-mwv9-gp5h-frr4] Sveltejs devalue's devalue.parse and devalue.unflatten emit objects with __proto__ own properties #7464

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Wenxin-Jiang wants to merge 1 commit into
base: Wenxin-Jiang/advisory-improvement-7464
Choose a base branch
from
+4 −4
Open

[GHSA-mwv9-gp5h-frr4] Sveltejs devalue's devalue.parse and devalue.unflatten emit objects with __proto__ own properties #7464

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions advisories/github-reviewed/2026/03/GHSA-mwv9-gp5h-frr4/GHSA-mwv9-gp5h-frr4.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
{
"schema_version": "1.4.0",
"id": "GHSA-mwv9-gp5h-frr4",
"modified": "2026-03-12T16:38:15Z",
"modified": "2026-03-12T19:41:57Z",
"published": "2026-03-12T16:38:15Z",
"aliases": [],
"summary": "Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties",
"details": "In some circumstances, `devalue.parse` and `devalue.unflatten` could emit objects with `__proto__` own properties. This in and of itself is not a security vulnerability (and is possible with, for example, `JSON.parse` as well), but it can result in prototype injection if _downstream_ code handles it incorrectly:\n\n```ts\nconst result = devalue.parse(/* input creating an object with a __proto__ property */);\nconst target = {};\nObject.assign(target, result); // target's prototype is now polluted\n```",
"severity": [
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"
Copy link
Copy Markdown

@elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not actually sure why there's a CVSS string here in the first place; it is not present in the original advisory:

Image

We purposefully statically scored this as a LOW as we do not consider it to be an actual security issue.

"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
Expand All @@ -23,7 +23,7 @@
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
"introduced": "4.0.0"
},
{
"fixed": "5.6.4"
Expand Down Expand Up @@ -54,7 +54,7 @@
"cwe_ids": [
"CWE-1321"
],
"severity": "LOW",
"severity": "MODERATE",
Copy link
Copy Markdown

@elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not accept this modification. For reference, JSON.stringify works this way by design -- it will emit objects with __proto__ own properties if they exist in the source objects. We implemented this change purely as a hardening effort. We may decide to allow devalue to support own-property __proto__ in the future (there is no work planned for this currently, as we know of no valid use cases). This is not a vulnerability in devalue itself. We released this advisory as just that: An advisory.

In some circumstances, devalue.parse and devalue.unflatten could emit objects with __proto__ own properties. This in and of itself is not a security vulnerability

(emphasis added)

Suggested change
"severity": "MODERATE",
"severity": "LOW",

Copy link
Copy Markdown
Author

@Wenxin-Jiang Wenxin-Jiang Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @elliott-with-the-longest-name-on-github, thanks for the quick response! Please see my comment below about the CVSS changes. This was not intentional and I agree that the severity should not be changed.

Copy link
Copy Markdown

@elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, sorry, I meant to submit both of my comments as one review. Looks like GHSA assigned a "ghost string" or something on the backend; we didn't even give it a CVSS score in the first place. Thanks for fixing the starting version!

Copy link
Copy Markdown
Author

@Wenxin-Jiang Wenxin-Jiang Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No problem at all! I don’t think I’m able to directly modify those files in the PR, so please feel free to make those changes. If the starting version looks good to you, feel free to merge the PR after fixing the CVSS issue. Thank you for looking at this so quickly!

"github_reviewed": true,
"github_reviewed_at": "2026-03-12T16:38:15Z",
"nvd_published_at": null
Expand Down
Loading