VYPR

npm package

devalue

pkg:npm/devalue

Vulnerabilities (5)

  • CVE-2026-42570HigJun 9, 2026
    affected >= 5.6.3, < 5.8.1fixed 5.8.1

    Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than w

  • CVE-2026-30226Mar 11, 2026
    affected < 5.6.4fixed 5.6.4

    Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exp

  • CVE-2026-22775Jan 15, 2026
    affected >= 5.1.0, < 5.6.2fixed 5.6.2

    Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in system

  • CVE-2026-22774Jan 15, 2026
    affected >= 5.3.0, < 5.6.2fixed 5.6.2

    Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in system

  • CVE-2025-57820HigAug 26, 2025
    affected < 5.3.2fixed 5.3.2

    Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a __proto__ property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties, leadin