CVE-2025-57820

Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a __proto__ property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties, leading to prototype pollution. This issue has been fixed in version 5.3.2

CVSS

No CVSS.

References

Link	Resource
https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132
https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv

Configurations

No configuration.

History

29 Aug 2025, 16:22

Type	Values Removed	Values Added
Summary		(es) Svelte devalue es una librería de utilidades. Antes de la versión 5.3.2, una cadena pasada a devalue.parse podía representar un objeto con una propiedad __proto__ y devalue.parse no verificaba si un índice era numérico. Esto podía provocar la asignación de prototipos a objetos y propiedades, lo que generaba contaminación de prototipos. Este problema se ha corregido en la versión 5.3.2.

26 Aug 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-26 23:15

Updated : 2025-08-29 16:22

NVD link : CVE-2025-57820

Mitre link : CVE-2025-57820

CVE.ORG link : CVE-2025-57820

JSON object : View

Products Affected

No product.

CWE

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

{"id": "CVE-2025-57820", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-26T23:15:35.730", "references": [{"url": "https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132", "source": "security-advisories@github.com"}, {"url": "https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1321"}]}], "descriptions": [{"lang": "en", "value": "Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a __proto__ property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties, leading to prototype pollution. This issue has been fixed in version 5.3.2"}, {"lang": "es", "value": "Svelte devalue es una librer\u00eda de utilidades. Antes de la versi\u00f3n 5.3.2, una cadena pasada a devalue.parse pod\u00eda representar un objeto con una propiedad __proto__ y devalue.parse no verificaba si un \u00edndice era num\u00e9rico. Esto pod\u00eda provocar la asignaci\u00f3n de prototipos a objetos y propiedades, lo que generaba contaminaci\u00f3n de prototipos. Este problema se ha corregido en la versi\u00f3n 5.3.2."}], "lastModified": "2025-08-29T16:22:31.970", "sourceIdentifier": "security-advisories@github.com"}