CVE-2025-57820: Prototype Pollution in Svelte devalue Library

CVE-2025-57820 is a high-severity prototype pollution vulnerability in the Svelte devalue library (versions before 5.3.2). A crafted input to devalue.parse can modify object prototypes by exploiting unchecked __proto__ properties, leading to serious application-level risks. This issue is resolved in version 5.3.2.

Vulnerability Details of CVE-2025-57820

• CVE ID: CVE-2025-57820
• Affected Software: Svelte devalue (utility library for JS data serialization)
• Affected Versions: Prior to 5.3.2
• CWE Identifier: CWE-1321 – Improperly Controlled Modification of Object Prototype Attributes (“Prototype Pollution”)
• CVSS v4.0 Score: 7.9 (High)
• Attack Vector: Network (via crafted input strings)
• Privileges Required: None
• User Interaction: None
• Scope: Changed (pollution of prototype affects all new objects)
• Confidentiality Impact: High
• Integrity Impact: High
• Availability Impact: High

Exploitation Path

An attacker can send a specially crafted string with __proto__ in it to devalue.parse, causing unintended assignment of object prototypes. This can alter default behaviors across the application, such as method overrides or logic bypasses.

Mitigation Steps

To secure applications using devalue:

• Update Immediately: Upgrade to devalue version 5.3.2 or later.
• Validate Input: Ensure only trusted, expected data is parsed by the library.
• Avoid Parsing Untrusted Payloads: Reject or sanitize input that may include prototype manipulation.

References & Attribution

Subscribe to CybrWolf and stay ahead of threats.