Описание
devalue prototype pollution vulnerability
1. devalue.parse allows __proto__ to be set
A string passed to devalue.parse could represent an object with a __proto__ property, which would assign a prototype to an object while allowing properties to be overwritten:
2. devalue.parse allows array prototype methods to be assigned to object
In a payload constructed with devalue.stringify, values are represented as array indices, where the array contains the 'hydrated' values:
devalue.parse does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:
This could be used by a creative attacker to bypass server-side validation.
Пакеты
devalue
< 5.3.2
5.3.2
Связанные уязвимости
Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a __proto__ property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties, leading to prototype pollution. This issue has been fixed in version 5.3.2