SvelteJS devalue Library Patches Critical Prototype Pollution Vulnerability (CVE-2026-30226)

A critical security vulnerability in the widely-used `devalue` library, a core component of the Svelte and Nuxt.js ecosystems, has been patched. The flaw, tracked as CVE-2026-30226, resided in the `devalue.parse` and `devalue.unflatten` functions, making them susceptible to prototype pollution attacks. A maliciously crafted payload could exploit this to cause Denial of Service (DoS) or trigger type confusion within applications, potentially leading to unpredictable behavior or crashes.

The `devalue` library is fundamental for serializing and deserializing JavaScript data structures, particularly in server-side rendering (SSR) contexts. The vulnerability was present in version 5.6.3 and has been addressed in the newly released version 5.6.4. The patch was issued alongside a security advisory (GHSA-cfw5-2vxh-hr84) from the SvelteJS maintainers, highlighting the severity. A separate advisory (GHSA-mwv9-gp5h-frr4) indicates additional security concerns were also addressed in this update cycle.

This update is not a routine dependency bump; it is a mandatory security patch. Any project using `devalue` for data serialization—especially SvelteKit, Nuxt.js applications, or any Node.js service relying on it—must upgrade immediately to mitigate the risk of exploitation. The vulnerability's nature means that any user input processed by the affected functions could be a potential attack vector, putting web applications at direct risk of disruption and instability until the patch is applied.