GHSA-8qm3-746x-r74r: devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed

February 19, 2026

Under certain circumstances, unevaling untrusted data can produce output code that will create objects with polluted prototypes when later evaled, meaning the output data can be a different shape from the input data.

References

github.com/advisories/GHSA-8qm3-746x-r74r
github.com/sveltejs/devalue
github.com/sveltejs/devalue/commit/0f04d4d678eac39ad5d7a07d1956275d7874e81c
github.com/sveltejs/devalue/releases/tag/v5.6.3
github.com/sveltejs/devalue/security/advisories/GHSA-8qm3-746x-r74r

Code Behaviors & Features

Detect and mitigate GHSA-8qm3-746x-r74r with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →