CVE-2025-57820
Prototype Pollution vulnerability in devalue (npm)
What is CVE-2025-57820 About?
This vulnerability allows for prototype pollution and unexpected property assignment in the `devalue.parse` function. Attackers can control object prototypes or assign array methods to properties, leading to property overwrites, unexpected behavior, or server-side validation bypass. Exploitation relies on crafted input to the `devalue.parse` function.
Affected Software
Technical Details
The devalue.parse function in the devalue library has two main vulnerabilities. Firstly, it allows __proto__ to be set: if a string passed to devalue.parse represents an object with a __proto__ property (e.g., {"x":1,"y":2,"magnitude":3,"__proto__":4}), this __proto__ can assign a malicious prototype to the object, enabling property overwrites. Secondly, devalue.parse does not validate that array indices are numeric. This allows an attacker to provide non-numeric strings (like "push") as indices, leading to array prototype methods being assigned to properties of parsed objects (e.g., parser [{"toString":"push"}] makes object.toString() become 0). These mechanisms can be used for prototype pollution or to bypass server-side validation.
What is the Impact of CVE-2025-57820?
Successful exploitation may allow attackers to modify object prototypes, leading to property overwrites, unexpected program behavior, logic flaws, or a bypass of server-side validation mechanisms.
What is the Exploitability of CVE-2025-57820?
Exploitation requires an attacker to provide specially crafted input to the devalue.parse function. The complexity of crafting such payloads depends on the application's data structure but can be relatively straightforward for those familiar with prototype pollution techniques. There are no specific authentication or privilege requirements at the library level; if an application processes untrusted user input using devalue.parse, it is vulnerable. This can be a remote vulnerability if the application accepts and parses user-controlled data. Risk factors include any application that deserializes JSON or similar structured data from untrusted sources using the devalue library, especially if the parsed objects are used in sensitive operations or validations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-57820?
About the Fix from Resolved Security
This patch prevents objects with a proto property from being parsed by throwing an error, blocking prototype pollution attacks. By explicitly disallowing the proto key during object hydration, it mitigates the risk described in CVE-2025-57820, where malicious inputs could manipulate the prototype chain and compromise application security.
Available Upgrade Options
- devalue
- <5.3.2 → Upgrade to 5.3.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/sveltejs/devalue
- https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132
- https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132
- https://nvd.nist.gov/vuln/detail/CVE-2025-57820
- https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv
- https://osv.dev/vulnerability/GHSA-vj54-72f3-p5jv
- https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv
What are Similar Vulnerabilities to CVE-2025-57820?
Similar Vulnerabilities: CVE-2020-28286 , CVE-2020-8086 , CVE-2020-7798 , CVE-2020-7788 , CVE-2019-11358
