Svelte vulnerable to XSS when using objects during server-side rendering
- Severity:
- Medium
Description
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Recommendation
Update the svelte package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.49.0
- Patched version(s): 3.49.0
References
Related Issues
- svelte vulnerable to Cross-site Scripting - CVE-2025-15265
- tRPC has possible prototype pollution in `experimental_nextAppDirCaller` - CVE-2025-68130
- x402 SDK vulnerable in outdated versions in resource servers for builders - Vulnerability
- tarteaucitron.js vulnerable to DOM Clobbering via document.currentScript - CVE-2025-48939
- Tags:
- npm
- svelte
Anything's wrong? Let us know Last updated on September 07, 2023