org.webjars.npm:svelte 5.53.12

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:svelte package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Regular Expression Denial of Service (ReDoS) org.webjars.npm:svelte is a package for building web applications. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) through the `svelte:element` tag validation process. An attacker can cause significant performance degradation by supplying specially crafted tag names of unconstrained length, leading to excessive processing time in the internal regular expression. Note: This is only exploitable if user-supplied tag names are not restricted in length or validated against a predetermined list. How to fix Regular Expression Denial of Service (ReDoS)? A fix was pushed into the `master` branch but not yet published.	[5.53.12,)
M Cross-site Scripting (XSS) org.webjars.npm:svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the rendering of attributes using spread syntax from untrusted data, which includes event handler properties in the HTML output. An attacker can execute arbitrary JavaScript code in the victim's browser by injecting malicious event handlers through user-controlled or external data. Note: This is only exploitable if the user's browser has JavaScript enabled and the hydration mechanism does not reach the vulnerable element before the event fires. How to fix Cross-site Scripting (XSS)? A fix was pushed into the `master` branch but not yet published.	[0,)
M Cross-site Scripting (XSS) org.webjars.npm:svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the handling of attribute spreading and dynamic `name` attributes within form elements. An attacker can inject malicious scripts by manipulating both the spread attributes on a form element and the dynamic or spread attributes on an input or button element inside that form, when both are user-controllable. Note: This is only exploitable if attribute spreading is used on a form element and, within that form, attribute spreading or a dynamic value is allowed for the `name` attribute on an input or button element, with both being simultaneously user-controllable. How to fix Cross-site Scripting (XSS)? A fix was pushed into the `master` branch but not yet published.	[0,)

Vulnerability

Vulnerable Version

Regular Expression Denial of Service (ReDoS)

org.webjars.npm:svelte is a package for building web applications.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) through the svelte:element tag validation process. An attacker can cause significant performance degradation by supplying specially crafted tag names of unconstrained length, leading to excessive processing time in the internal regular expression.

Note:

This is only exploitable if user-supplied tag names are not restricted in length or validated against a predetermined list.

How to fix Regular Expression Denial of Service (ReDoS)?

A fix was pushed into the master branch but not yet published.

[5.53.12,)

Cross-site Scripting (XSS)

org.webjars.npm:svelte is a package for building web applications.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the rendering of attributes using spread syntax from untrusted data, which includes event handler properties in the HTML output. An attacker can execute arbitrary JavaScript code in the victim's browser by injecting malicious event handlers through user-controlled or external data.

Note:

This is only exploitable if the user's browser has JavaScript enabled and the hydration mechanism does not reach the vulnerable element before the event fires.

How to fix Cross-site Scripting (XSS)?

A fix was pushed into the master branch but not yet published.

[0,)

Cross-site Scripting (XSS)

org.webjars.npm:svelte is a package for building web applications.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the handling of attribute spreading and dynamic name attributes within form elements. An attacker can inject malicious scripts by manipulating both the spread attributes on a form element and the dynamic or spread attributes on an input or button element inside that form, when both are user-controllable.

Note:

This is only exploitable if attribute spreading is used on a form element and, within that form, attribute spreading or a dynamic value is allowed for the name attribute on an input or button element, with both being simultaneously user-controllable.

How to fix Cross-site Scripting (XSS)?

A fix was pushed into the master branch but not yet published.

[0,)

org.webjars.npm:svelte@5.53.12

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically