VYPR

Devalue

by Sveltejs

npm: devalue

Source repositories

CVEs (5)

  • CVE-2025-57820HigAug 26, 2025
    risk 0.44cvss epss 0.00

    Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a __proto__ property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties,…

  • CVE-2026-42570HigJun 9, 2026
    risk 0.42cvss 7.5epss 0.00

    Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than…

  • CVE-2026-30226Mar 11, 2026
    risk 0.00cvss epss 0.00

    Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful…

  • CVE-2026-22775Jan 15, 2026
    risk 0.00cvss epss 0.00

    Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in…

  • CVE-2026-22774Jan 15, 2026
    risk 0.00cvss epss 0.00

    Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in…