Prototype Pollution Vulnerability in Style Dictionary by Amazon
CVE-2026-54639

8.8HIGH

Key Information:

Vendor

Style-dictionary

Status
Style-dictionary
Vendor
CVE Published:
24 June 2026

What is CVE-2026-54639?

Style Dictionary versions 4.3.0 through 5.4.4 contain a prototype pollution vulnerability that can be exploited through direct or indirect usage of the 'convertTokenData' function or the Expand API. The severity of the impact varies: High when integrated into NodeJS server applications, moderate in web applications, and lower when users maintain the tokens themselves. A patch is available in version 5.4.4, and the only current workaround involves sanitizing token data to check for object keys that include 'proto'.

Affected Version(s)

style-dictionary >= 4.3.0, < 5.4.4

References

https://github.com/style-dictionary/style-dictionary/secu...
x_refsource_CONFIRM
https://github.com/style-dictionary/style-dictionary/pull...
x_refsource_MISC
https://github.com/style-dictionary/style-dictionary/comm...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.