Описание
svelte vulnerable to Cross-site Scripting
Summary
An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of hydratable keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML.
Details
When using the hydratable function, the first argument is used as a key to uniquely identify the data, such that the value is not regenerated in the browser.
This key is embedded into a <script> block in the server-rendered <head> without escaping unsafe characters. A malicious key can break out of the script context and inject arbitrary JavaScript into the HTML response.
Impact
This is a cross-site scripting vulnerability affecting applications that have the experimental.async flag enabled and use hydratable with keys incorporating untrusted user input.
- Impact: Arbitrary JS execution in the client’s browser.
- Exploitability: Remote, single-request if key is attacker-controlled.
- Typical Outcomes:
- Session/token theft
- DOM defacement
- CSRF bypass via injected JS
- Account takeover depending on cookie/session strategy
Affected applications should upgrade to a patched version immediately.
Ссылки
- https://github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3
- https://nvd.nist.gov/vuln/detail/CVE-2025-15265
- https://github.com/sveltejs/svelte/commit/ef81048e238844b729942441541d6dcfe6c8ccca
- https://fluidattacks.com/advisories/lydian
- https://github.com/sveltejs/svelte/releases/tag/svelte%405.46.4
Пакеты
svelte
>= 5.46.0, <= 5.46.3
5.46.4
Связанные уязвимости
An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3.