Vulnerability DatabaseCVE-2025-57820
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-57820
August 26, 2025
Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a proto property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties, leading to prototype pollution. This issue has been fixed in version 5.3.2
Affected Packages
https://github.com/sveltejs/devalue.git (GITHUB):
Affected version(s) >=v1.0.0 <v5.3.2
Fix Suggestion:
Update to version v5.3.2
devalue (NPM):
Affected version(s) >=1.0.0 <5.3.2
Fix Suggestion:
Update to version 5.3.2
Additional Notes
The description of this vulnerability differs from MITRE.
Related ResourcesĀ (4)
https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132
https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv
https://nvd.nist.gov/vuln/detail/CVE-2025-57820
https://github.com/sveltejs/devalue
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
10
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-1321
EPSS
Base Score:
0.12