Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-54639— Style Dictionary - Prototype Pollution in convertTokenData utility function

CVSS 8.8 · High EPSS 0.13% · P3

Affected Version Matrix 1

VendorProductVersion RangeStatus
style-dictionarystyle-dictionary>= 4.3.0, < 5.4.4affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-54639

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Style Dictionary - Prototype Pollution in convertTokenData utility function
Source: NVD (National Vulnerability Database)
Vulnerability Description
Style Dictionary, a build system for creating cross-platform styles, has a prototype pollution vulnerability starting in version 4.3.0 and prior to version 5.4.4. Impact users have: direct usage of `convertTokenData(tokens, { output: 'object' });`; indirect usage, via using Expand API; and/or indirect usage via SD's transform lifecycle. Impact is high for this when style-dictionary is used as an integration in a NodeJS server application. Impact is moderate for when style-dictionary is used as an integration in a Web application. Impact is low for most common cases where the user of style-dictionary also maintains the tokens, and access is limited via read/write access to the repository/workflows where it is used. A patch has been published in version `5.4.4`. The only known workaround is to sanitize token data first. Whether using DTCG format or old Style Dictionary format, check the token data object recursively for any object keys that include `__proto__`.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1321
Source: NVD (National Vulnerability Database)
Vulnerability Title
Style Dictionary 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Style Dictionary Style Dictionary是Style Dictionary团队开源的一个基于设计令牌(Design Tokens)的跨平台样式构建系统,让你只需定义一次样式,就能自动导出为 iOS、Android、CSS、JS 等多种平台所需的格式。 Style Dictionary 4.3.0版本至5.4.4之前版本存在输入验证错误漏洞,该漏洞源于原型污染,可能导致攻击者利用convertTokenData或Expand API进行攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
style-dictionarystyle-dictionary >= 4.3.0, < 5.4.4 -

II. Public POCs for CVE-2026-54639

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium
Qwen3.6-35B-A3B · 7117 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month

III. Intelligence Information for CVE-2026-54639

登录查看更多情报信息。

Patches & Fixes for CVE-2026-54639 (2)

Vendor Advisories for CVE-2026-54639 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-54639

No comments yet


Leave a comment