Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-6738-r8g5-qwp3: svelte vulnerable to Cross-site Scripting

Summary

An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of hydratable keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML.

Details

When using the hydratable function, the first argument is used as a key to uniquely identify the data, such that the value is not regenerated in the browser.

This key is embedded into a <script> block in the server-rendered <head> without escaping unsafe characters. A malicious key can break out of the script context and inject arbitrary JavaScript into the HTML response.

Impact

This is a cross-site scripting vulnerability affecting applications that have the experimental.async flag enabled and use hydratable with keys incorporating untrusted user input.

  • Impact: Arbitrary JS execution in the client’s browser.
  • Exploitability: Remote, single-request if key is attacker-controlled.
  • Typical Outcomes:
    • Session/token theft
    • DOM defacement
    • CSRF bypass via injected JS
    • Account takeover depending on cookie/session strategy

Affected applications should upgrade to a patched version immediately.

ghsa
Open in Source
#xss#csrf#vulnerability#js#git#java

Summary

An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of hydratable keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML.

Details

When using the hydratable function, the first argument is used as a key to uniquely identify the data, such that the value is not regenerated in the browser.

This key is embedded into a <script> block in the server-rendered <head> without escaping unsafe characters. A malicious key can break out of the script context and inject arbitrary JavaScript into the HTML response.

Impact

This is a cross-site scripting vulnerability affecting applications that have the experimental.async flag enabled and use hydratable with keys incorporating untrusted user input.

  • Impact: Arbitrary JS execution in the client’s browser.
  • Exploitability: Remote, single-request if key is attacker-controlled.
  • Typical Outcomes:
    • Session/token theft
    • DOM defacement
    • CSRF bypass via injected JS
    • Account takeover depending on cookie/session strategy

Affected applications should upgrade to a patched version immediately.

References

  • GHSA-6738-r8g5-qwp3
  • sveltejs/svelte@ef81048
  • https://github.com/sveltejs/svelte/releases/tag/svelte%405.46.4

ghsa: Latest News

GHSA-g2pg-6438-jwpf: devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse
ghsa