In some circumstances, devalue.parse and devalue.unflatten could emit objects with __proto__ own properties. This in and of itself is not a security vulnerability (and is possible with, for example, JSON.parse as well), but it can result in prototype injection if downstream code handles it incorrectly:
const result = devalue.parse(/* input creating an object with a __proto__ property */);
const target = {};
Object.assign(target, result); // target's prototype is now polluted
elliott-with-the-longest-name-on-github Remediation developer
KarimPwnz Remediation reviewer
wim-vercel Remediation reviewer
mattiasljungstrom Reporter
In some circumstances,
devalue.parseanddevalue.unflattencould emit objects with__proto__own properties. This in and of itself is not a security vulnerability (and is possible with, for example,JSON.parseas well), but it can result in prototype injection if downstream code handles it incorrectly: