GHSA-mwv9-gp5h-frr4: Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `proto` own properties

March 12, 2026

In some circumstances, devalue.parse and devalue.unflatten could emit objects with __proto__ own properties. This in and of itself is not a security vulnerability (and is possible with, for example, JSON.parse as well), but it can result in prototype injection if downstream code handles it incorrectly:

const result = devalue.parse(/* input creating an object with a __proto__ property */);
const target = {};
Object.assign(target, result); // target's prototype is now polluted

References

github.com/advisories/GHSA-mwv9-gp5h-frr4
github.com/sveltejs/devalue
github.com/sveltejs/devalue/releases/tag/v5.6.4
github.com/sveltejs/devalue/security/advisories/GHSA-mwv9-gp5h-frr4

Code Behaviors & Features

Detect and mitigate GHSA-mwv9-gp5h-frr4 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →