Svelte devalue Prototype Pollution Vulnerability

A prototype pollution vulnerability exists in the Svelte devalue library, prior to version 5.3.2. The issue arises because the `devalue.parse` function does not validate that an index is numeric and allows strings to be parsed as objects with a `__proto__` property. This oversight can lead to the manipulation of object prototypes and properties, enabling prototype pollution attacks.

Impact

Exploitation of this vulnerability allows for prototype pollution, where an attacker can manipulate an object's prototype, potentially leading to the overwriting of properties or the introduction of malicious behavior into objects.

Reproduction

To reproduce this vulnerability, use a version of the Svelte devalue library prior to 5.3.2. The vulnerability can be demonstrated by parsing a string that represents an object with a `__proto__` property using the `devalue.parse` function. This will result in the prototype of the object being overwritten. Additionally, the vulnerability can be shown by passing a string that assigns an array prototype method to an object property, which `devalue.parse` will incorrectly interpret as a numeric index.

Remediation

Users can upgrade to Svelte devalue version 5.3.2 or later to address this vulnerability.