CVE-2026-30226
Received Received - Intake
Prototype Pollution in Svelte devalue v5.6.3 Causes DoS, Type Confusion

Publication date: 2026-03-11

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion. This vulnerability is fixed in 5.6.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30226
EUVD
EUVD-2026-11253
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
svelte devalue to 5.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-30226 is a prototype pollution vulnerability in the JavaScript library 'devalue' version 5.6.3 and earlier. It affects the functions devalue.parse and devalue.unflatten, which do not properly restrict modifications to the prototype attributes of objects when processing input."}, {'type': 'paragraph', 'content': 'An attacker can exploit this vulnerability by sending maliciously crafted payloads that manipulate the prototype of base objects. This can lead to unexpected behavior such as Denial of Service (DoS) or type confusion.'}, {'type': 'paragraph', 'content': 'The vulnerability has a moderate severity with a CVSS v4 base score of 6.3, and it can be exploited remotely without requiring privileges or user interaction, although the attack complexity is high.'}] [1]

Impact Analysis

Exploitation of this vulnerability can lead to Denial of Service (DoS), causing the affected application or system to become unavailable or crash.

It can also cause type confusion, which may result in unexpected behavior or errors in the application.

There is no direct impact on confidentiality or integrity, and the overall impact on availability is considered low.

Compliance Impact

I don't know

Detection Guidance

This vulnerability affects the devalue JavaScript library versions 5.6.3 and earlier, specifically the functions devalue.parse and devalue.unflatten. Detection involves identifying if these vulnerable versions of the devalue package are in use within your projects or dependencies.

You can check the installed version of devalue in your project by running the following command in your project directory:

  • npm list devalue

If you want to check for vulnerable versions across your entire dependency tree, you can use:

  • npm ls devalue

Additionally, scanning your codebase or dependencies for usage of devalue.parse or devalue.unflatten functions may help identify potential exposure.

Network detection of exploitation attempts is difficult due to the nature of the vulnerability (prototype pollution via crafted payloads in JavaScript). Monitoring logs for unusual errors or crashes related to type confusion or DoS in applications using devalue may help.

Mitigation Strategies

The primary mitigation step is to upgrade the devalue package to version 5.6.4 or later, where this prototype pollution vulnerability has been fixed.

If upgrading immediately is not possible, consider auditing and restricting the input to devalue.parse and devalue.unflatten functions to prevent malicious payloads from being processed.

Additionally, monitor your applications for unusual behavior such as crashes or denial of service symptoms that could indicate exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30226. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart