Svelte SSR attribute spreading includes inherited properties from prototype chain
- Severity:
- Medium
Description
In server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object’s prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte’s control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors.
Recommendation
Update the svelte package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.51.4
- Patched version(s): 5.51.5
References
Related Issues
- Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers - CVE-2026-27902
- Svelte SSR vulnerable to cross-site scripting via spread attributes - CVE-2026-42599
- Svelte SSR does not validate dynamic element tag names in `<svelte:element>` - CVE-2026-27122
- enclave-vm Vulnerable to Sandbox Escape via Host Error Prototype Chain - CVE-2026-22686
You might also like:
- Tags:
- npm
- svelte
Anything's wrong? Let us know Last updated on February 23, 2026