Improper Validation of Specified Type of Input in devalue

Q: How to fix?

Upgrade devalue to version 5.6.4 or higher.

Introduced: 12 Mar 2026

How to fix?

Upgrade devalue to version 5.6.4 or higher.

Overview

devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set.

Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input in the hydrate() function that can accept __proto__ keys emitted from devalue.parse() or devalue.unflatten() functions. An attacker can manipulate object properties by supplying input that creates objects with a __proto__ own property, which may lead to prototype pollution in downstream code when such objects are merged or assigned.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Improper Validation of Specified Type of Input Affecting devalue package, versions <5.6.4

Severity

Do your applications use this vulnerable package?

Introduced: 12 Mar 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk