CVE-2025-57820

Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a __proto__ property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties, leading to prototype pollution. This issue has been fixed in version 5.3.2

CVSS

No CVSS.

References

Link	Resource
https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132
https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv

Configurations

No configuration.

History

No history.

Information

Published : 2025-08-26 23:15

Updated : 2025-08-29 16:22

NVD link : CVE-2025-57820

Mitre link : CVE-2025-57820

CVE.ORG link : CVE-2025-57820

JSON object : View

Products Affected

No product.

CWE

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

{"id": "CVE-2025-57820", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-26T23:15:35.730", "references": [{"url": "https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132", "source": "[email protected]"}, {"url": "https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-1321"}]}], "descriptions": [{"lang": "en", "value": "Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a __proto__ property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties, leading to prototype pollution. This issue has been fixed in version 5.3.2"}, {"lang": "es", "value": "Svelte devalue es una librer\u00eda de utilidades. Antes de la versi\u00f3n 5.3.2, una cadena pasada a devalue.parse pod\u00eda representar un objeto con una propiedad __proto__ y devalue.parse no verificaba si un \u00edndice era num\u00e9rico. Esto pod\u00eda provocar la asignaci\u00f3n de prototipos a objetos y propiedades, lo que generaba contaminaci\u00f3n de prototipos. Este problema se ha corregido en la versi\u00f3n 5.3.2."}], "lastModified": "2025-08-29T16:22:31.970", "sourceIdentifier": "[email protected]"}

CVE-2025-57820

JSON object

Attach tags to CVE-2025-57820

Attach tags to `CVE-2025-57820`