Svelte vulnerable to XSS when using objects during server-side rendering

Severity:: Medium

Description

The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.

Recommendation

Update the svelte package to the latest compatible version. Followings are version details:

Affected version(s): < 3.49.0
Patched version(s): 3.49.0

References

GHSA-wv8q-r932-8hc7
snyk.io
CVE-2022-25875
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

x402 SDK vulnerable in outdated versions in resource servers for builders - Vulnerability
Potential DoS when using ContextLines integration (GHSA-r5w7-f542-q2j4) 9 - Vulnerability
Potential DoS when using ContextLines integration (GHSA-r5w7-f542-q2j4) 8 - Vulnerability
Potential DoS when using ContextLines integration (GHSA-r5w7-f542-q2j4) 7 - Vulnerability

Tags:: npm; svelte

Anything's wrong? Let us know Last updated on September 07, 2023