devalue 5.1.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the devalue package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Improper Validation of Specified Type of Input devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input in the `hydrate()` function that can accept `__proto__` keys emitted from `devalue.parse()` or `devalue.unflatten()` functions. An attacker can manipulate object properties by supplying input that creates objects with a `__proto__` own property, which may lead to prototype pollution in downstream code when such objects are merged or assigned. How to fix Improper Validation of Specified Type of Input? Upgrade `devalue` to version 5.6.4 or higher.	<5.6.4
M Prototype Pollution devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Prototype Pollution via the `parse` or `unflatten` functions. An attacker can manipulate object prototypes by supplying malicious payloads, potentially causing denial of service or type confusion. How to fix Prototype Pollution? Upgrade `devalue` to version 5.6.4 or higher.	>=4.0.0 <5.6.4
L Prototype Pollution devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Prototype Pollution via the `uneval` method. An attacker can manipulate object prototypes by supplying specially crafted untrusted data that, when processed and later evaluated, results in objects with altered prototypes. How to fix Prototype Pollution? Upgrade `devalue` to version 5.6.3 or higher.	<5.6.3
M Allocation of Resources Without Limits or Throttling devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `uneval()` or `stringify()` functions. An attacker can cause CPU and memory exhaustion by submitting specially crafted sparse arrays. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `devalue` to version 5.6.3 or higher.	<5.6.3
H Asymmetric Resource Consumption (Amplification) devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Asymmetric Resource Consumption (Amplification) due to the improper validation in `ArrayBuffer` if input string is base64 encoded in the `hydration()` function when parsing data from untrusted sources. An attacker can cause excessive memory allocation and CPU usage by submitting specially crafted input, potentially leading to resource exhaustion and service disruption. How to fix Asymmetric Resource Consumption (Amplification)? Upgrade `devalue` to version 5.6.2 or higher.	>=5.1.0 <5.6.2
C Prototype Pollution devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Prototype Pollution via the `parse` function. An attacker can manipulate object prototypes or assign array prototype methods to object properties by crafting malicious payloads, potentially leading to property overwrites or bypassing server-side validation. How to fix Prototype Pollution? Upgrade `devalue` to version 5.3.2 or higher.	<5.3.2

Vulnerability

Vulnerable Version

Improper Validation of Specified Type of Input