Server side cross-site scripting In svelte
Description
svelte vulnerable to Cross-site Scripting
Summary
An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of hydratable keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML.
Details
When using the hydratable function, the first argument is used as a key to uniquely identify the data, such that the value is not regenerated in the browser.
This key is embedded into a <script> block in the server-rendered <head> without escaping unsafe characters. A malicious key can break out of the script context and inject arbitrary JavaScript into the HTML response.
Impact
This is a cross-site scripting vulnerability affecting applications that have the experimental.async flag enabled and use hydratable with keys incorporating untrusted user input.
Impact: Arbitrary JS execution in the client’s browser.
Exploitability: Remote, single-request if key is attacker-controlled.
Typical Outcomes:
Session/token theft
DOM defacement
CSRF bypass via injected JS
Account takeover depending on cookie/session strategy
Affected applications should upgrade to a patched version immediately.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | svelte | 5.46.4 |
Aliases
Does your application use this vulnerable software?
During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.