Homepage

svelte@3.0.0-alpha2 vulnerabilities

Cybernetically enhanced web apps

  • latest version

    5.53.5

  • latest non vulnerable version

    5.53.5

  • first published

    9 years ago

  • latest version published

    20 hours ago

  • licenses detected

  • View svelte package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the svelte package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • L
    Cross-site Scripting (XSS)

    svelte is a package for building web applications.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the spread syntax when rendering attributes from untrusted data during server-side rendering. An attacker can execute arbitrary JavaScript in the context of a victim's browser by injecting malicious event handler properties through user-controlled or external data.

    How to fix Cross-site Scripting (XSS)?

    Upgrade svelte to version 5.51.5 or higher.

    <5.51.5
    • L
    Cross-site Scripting (XSS)

    svelte is a package for building web applications.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the svelte:element tags. An attacker can inject arbitrary HTML into the server-side rendered output by supplying a crafted tag name.

    How to fix Cross-site Scripting (XSS)?

    Upgrade svelte to version 5.51.5 or higher.

    <5.51.5
    • M
    Improperly Controlled Modification of Dynamically-Determined Object Attributes

    svelte is a package for building web applications.

    Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in server-side rendering when attribute spreading is performed on elements. An attacker can inject unexpected attributes or cause errors in the rendered output by polluting the Object.prototype prior to rendering.

    Note:

    This is only exploitable if the environment's Object.prototype has already been modified before rendering occurs.

    How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes?

    Upgrade svelte to version 5.51.5 or higher.

    <5.51.5
    • M
    Cross-site Scripting (XSS)

    svelte is a package for building web applications.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to a mismatch between attribute value and other string sanitization rules. An attacker can execute scripts by injecting malicious content into an attribute in a <noscript> tag.

    How to fix Cross-site Scripting (XSS)?

    Upgrade svelte to version 4.2.19 or higher.

    <4.2.19
    • M
    Cross-site Scripting (XSS)

    svelte is a package for building web applications.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.

    How to fix Cross-site Scripting (XSS)?

    Upgrade svelte to version 3.49.0 or higher.

    <3.49.0
    • M
    Cross-site Scripting (XSS)

    svelte is a package for building web applications.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when objects are rendered directly to attribute values as unescaped strings. This means an object with a custom toString() can result in raw html injection.

    How to fix Cross-site Scripting (XSS)?

    Upgrade svelte to version 3.46.5 or higher.

    <3.46.5
    Go back to all versions of this package