CVE-2026-54639
Received Received - Intake
Prototype Pollution in Style Dictionary

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Style Dictionary, a build system for creating cross-platform styles, has a prototype pollution vulnerability starting in version 4.3.0 and prior to version 5.4.4. Impact users have: direct usage of `convertTokenData(tokens, { output: 'object' });`; indirect usage, via using Expand API; and/or indirect usage via SD's transform lifecycle. Impact is high for this when style-dictionary is used as an integration in a NodeJS server application. Impact is moderate for when style-dictionary is used as an integration in a Web application. Impact is low for most common cases where the user of style-dictionary also maintains the tokens, and access is limited via read/write access to the repository/workflows where it is used. A patch has been published in version `5.4.4`. The only known workaround is to sanitize token data first. Whether using DTCG format or old Style Dictionary format, check the token data object recursively for any object keys that include `__proto__`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-54639
EUVD
EUVD-2026-38640
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
style_dictionary style_dictionary to 5.4.4 (exc)
style_dictionary style_dictionary 5.4.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54639 is a prototype pollution vulnerability in the Style Dictionary library, specifically in the `convertTokenData` utility function. This vulnerability occurs when malicious token data containing keys like `__proto__` is processed, allowing an attacker to modify the global Object prototype. Such manipulation can cause unintended behavior or security risks in applications using Style Dictionary.

The vulnerability affects versions from 4.3.0 up to but not including 5.4.4 and can be exploited through direct use of `convertTokenData` with `output: 'object'`, indirect use via the Expand API, or during the transform lifecycle in Node.js server applications.

A patch fixing this issue was released in version 5.4.4, and the known workaround is to sanitize token data to remove any `__proto__` keys before processing.

Impact Analysis

The impact of this vulnerability varies depending on how Style Dictionary is used:

  • High impact when Style Dictionary is integrated into a Node.js server application, as prototype pollution can lead to serious security issues including arbitrary code execution.
  • Moderate impact when used in web applications, where the risk is lower but still significant.
  • Low impact in common cases where users maintain token data and restrict access via repository or workflow permissions.

Overall, the vulnerability has a CVSS v3.1 base score of 8.8, indicating a high severity with potential impacts on confidentiality, integrity, and availability.

Detection Guidance

This vulnerability can be detected by inspecting the token data objects used with Style Dictionary, specifically checking for any object keys that include '__proto__'. Since the vulnerability arises when malicious token data containing '__proto__' keys is processed, scanning token data recursively for such keys is essential.

There are no specific network detection commands provided, but you can audit your Style Dictionary usage in your NodeJS server or web application to identify if the vulnerable versions (4.3.0 up to but not including 5.4.4) are in use and if the convertTokenData function is called with output set to 'object'.

A practical approach is to write a script or use a recursive function to scan your token data JSON or JavaScript objects for any keys named '__proto__'. For example, in NodeJS, you might run a custom script to traverse your token data files and log any occurrences of '__proto__' keys.

Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to upgrade Style Dictionary to version 5.4.4 or later, where the prototype pollution issue has been patched.

If upgrading is not immediately possible, sanitize your token data before processing it with Style Dictionary. Specifically, recursively check and remove any keys named '__proto__' from your token data objects.

As a temporary workaround, you can set the 'expand' option to false in the Style Dictionary configuration to prevent indirect exploitation via the Expand API.

Compliance Impact

The prototype pollution vulnerability in Style Dictionary (CVE-2026-54639) poses a high risk to confidentiality, integrity, and availability, especially when used in NodeJS server applications. Such risks can lead to unauthorized data manipulation or exposure, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding sensitive information.

Because the vulnerability allows attackers to manipulate the global object prototype, it could potentially lead to arbitrary code execution or security breaches, increasing the likelihood of data breaches or unauthorized access. This undermines the security controls expected under these regulations.

Mitigation requires patching to version 5.4.4 or sanitizing token data to prevent exploitation. Failure to address this vulnerability could result in non-compliance with standards that mandate secure software development and vulnerability management.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54639. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart