Svelte vulnerable to XSS when using objects during server-side rendering
- Severity:
- Medium
Description
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Recommendation
Update the svelte package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.49.0
- Patched version(s): 3.49.0
References
Related Issues
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) (GHSA-x8rq-rc7x-5fg5) - CVE-2022-0086
- Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent` - CVE-2026-27901
- jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label - CVE-2022-31160
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) - CVE-2022-0086
- Tags:
- npm
- svelte
Anything's wrong? Let us know Last updated on September 07, 2023