devalue prototype pollution vulnerability
- devalue.parse allows proto to be set A string passed to devalue.parse could represent an object with a proto property, which would assign a prototype to an object while allowing properties to be overwritten: class Vector { constructor(x, y) { this.x = x; this.y = y; } get magnitude() { return (this.x ** 2 + this.y ** 2) ** 0.5; } } const payload =
[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]; const vector = devalue.parse(payload, …