CVE-2026-30226
Prototype Pollution in Svelte devalue v5.6.3 Causes DoS, Type Confusion
Publication date: 2026-03-11
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| svelte | devalue | to 5.6.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-30226 is a prototype pollution vulnerability in the JavaScript library 'devalue' version 5.6.3 and earlier. It affects the functions devalue.parse and devalue.unflatten, which do not properly restrict modifications to the prototype attributes of objects when processing input."}, {'type': 'paragraph', 'content': 'An attacker can exploit this vulnerability by sending maliciously crafted payloads that manipulate the prototype of base objects. This can lead to unexpected behavior such as Denial of Service (DoS) or type confusion.'}, {'type': 'paragraph', 'content': 'The vulnerability has a moderate severity with a CVSS v4 base score of 6.3, and it can be exploited remotely without requiring privileges or user interaction, although the attack complexity is high.'}] [1]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to Denial of Service (DoS), causing the affected application or system to become unavailable or crash.
It can also cause type confusion, which may result in unexpected behavior or errors in the application.
There is no direct impact on confidentiality or integrity, and the overall impact on availability is considered low.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the devalue JavaScript library versions 5.6.3 and earlier, specifically the functions devalue.parse and devalue.unflatten. Detection involves identifying if these vulnerable versions of the devalue package are in use within your projects or dependencies.
You can check the installed version of devalue in your project by running the following command in your project directory:
- npm list devalue
If you want to check for vulnerable versions across your entire dependency tree, you can use:
- npm ls devalue
Additionally, scanning your codebase or dependencies for usage of devalue.parse or devalue.unflatten functions may help identify potential exposure.
Network detection of exploitation attempts is difficult due to the nature of the vulnerability (prototype pollution via crafted payloads in JavaScript). Monitoring logs for unusual errors or crashes related to type confusion or DoS in applications using devalue may help.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the devalue package to version 5.6.4 or later, where this prototype pollution vulnerability has been fixed.
If upgrading immediately is not possible, consider auditing and restricting the input to devalue.parse and devalue.unflatten functions to prevent malicious payloads from being processed.
Additionally, monitor your applications for unusual behavior such as crashes or denial of service symptoms that could indicate exploitation attempts.