Svelte SSR attribute spreading includes inherited properties from prototype chain
- Severity:
- Medium
Description
In server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object’s prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte’s control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors.
Recommendation
Update the svelte package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.51.4
- Patched version(s): 5.51.5
References
Related Issues
- Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
- Parse Server's Cloud function dispatch crashes server via prototype chain traversal - CVE-2026-32886
- Svelte SSR does not validate dynamic element tag names in `<svelte:element>` - CVE-2026-27122
- Svelte affected by XSS in SSR `<option>` element - CVE-2026-27119
- Tags:
- npm
- svelte
Anything's wrong? Let us know Last updated on February 23, 2026