svelte 5.50.2

Direct Vulnerabilities

Known vulnerabilities in the svelte package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the rendering of attributes using spread syntax from untrusted data, which includes event handler properties in the HTML output. An attacker can execute arbitrary JavaScript code in the victim's browser by injecting malicious event handlers through user-controlled or external data. Note: This is only exploitable if the user's browser has JavaScript enabled and the hydration mechanism does not reach the vulnerable element before the event fires. How to fix Cross-site Scripting (XSS)? Upgrade `svelte` to version 5.55.7 or higher.	<5.55.7
M Cross-site Scripting (XSS) svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via improper serialization of `hydratable` promises. An attacker can execute arbitrary scripts in the context of the affected application by supplying specially crafted input that is hydrated first as a synchronous value and then as a promise value. Note: This is only exploitable if the experimental `hydratable` feature is enabled and attacker-controlled input is passed in such a way that a synchronous value is hydrated before a promise value. How to fix Cross-site Scripting (XSS)? Upgrade `svelte` to version 5.55.7 or higher.	>=5.46.0 <5.55.7
M Cross-site Scripting (XSS) svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the handling of attribute spreading and dynamic `name` attributes within form elements. An attacker can inject malicious scripts by manipulating both the spread attributes on a form element and the dynamic or spread attributes on an input or button element inside that form, when both are user-controllable. Note: This is only exploitable if attribute spreading is used on a form element and, within that form, attribute spreading or a dynamic value is allowed for the `name` attribute on an input or button element, with both being simultaneously user-controllable. How to fix Cross-site Scripting (XSS)? Upgrade `svelte` to version 5.55.7 or higher.	<5.55.7
M Cross-site Scripting (XSS) svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `bind:innerText` and `bind:textContent` bindings on `contenteditable` elements during server-side rendering. An attacker can execute arbitrary scripts in the context of the application by injecting malicious HTML as the initial value when untrusted data is rendered. How to fix Cross-site Scripting (XSS)? Upgrade `svelte` to version 5.53.5 or higher.	<5.53.5
M Cross-site Scripting (XSS) svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the server-side rendering process of the `<option>` element, which does not properly escape its content. An attacker can inject arbitrary HTML into the SSR output by supplying crafted input. How to fix Cross-site Scripting (XSS)? Upgrade `svelte` to version 5.51.5 or higher.	>=5.39.3 <5.51.5
L Cross-site Scripting (XSS) svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the spread syntax when rendering attributes from untrusted data during server-side rendering. An attacker can execute arbitrary JavaScript in the context of a victim's browser by injecting malicious event handler properties through user-controlled or external data. How to fix Cross-site Scripting (XSS)? Upgrade `svelte` to version 5.51.5 or higher.	<5.51.5
L Cross-site Scripting (XSS) svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `svelte:element` tags. An attacker can inject arbitrary HTML into the server-side rendered output by supplying a crafted tag name. How to fix Cross-site Scripting (XSS)? Upgrade `svelte` to version 5.51.5 or higher.	<5.51.5
M Improperly Controlled Modification of Dynamically-Determined Object Attributes svelte is a package for building web applications. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in server-side rendering when attribute spreading is performed on elements. An attacker can inject unexpected attributes or cause errors in the rendered output by polluting the `Object.prototype` prior to rendering. Note: This is only exploitable if the environment's `Object.prototype` has already been modified before rendering occurs. How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes? Upgrade `svelte` to version 5.51.5 or higher.	<5.51.5

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

svelte is a package for building web applications.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the rendering of attributes using spread syntax from untrusted data, which includes event handler properties in the HTML output. An attacker can execute arbitrary JavaScript code in the victim's browser by injecting malicious event handlers through user-controlled or external data.

Note:

This is only exploitable if the user's browser has JavaScript enabled and the hydration mechanism does not reach the vulnerable element before the event fires.

How to fix Cross-site Scripting (XSS)?

Upgrade svelte to version 5.55.7 or higher.

<5.55.7

Cross-site Scripting (XSS)

svelte is a package for building web applications.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via improper serialization of hydratable promises. An attacker can execute arbitrary scripts in the context of the affected application by supplying specially crafted input that is hydrated first as a synchronous value and then as a promise value.

Note:

This is only exploitable if the experimental hydratable feature is enabled and attacker-controlled input is passed in such a way that a synchronous value is hydrated before a promise value.

How to fix Cross-site Scripting (XSS)?

Upgrade svelte to version 5.55.7 or higher.

>=5.46.0 <5.55.7

Cross-site Scripting (XSS)

svelte is a package for building web applications.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the handling of attribute spreading and dynamic name attributes within form elements. An attacker can inject malicious scripts by manipulating both the spread attributes on a form element and the dynamic or spread attributes on an input or button element inside that form, when both are user-controllable.

Note:

This is only exploitable if attribute spreading is used on a form element and, within that form, attribute spreading or a dynamic value is allowed for the name attribute on an input or button element, with both being simultaneously user-controllable.

How to fix Cross-site Scripting (XSS)?

Upgrade svelte to version 5.55.7 or higher.

<5.55.7

Cross-site Scripting (XSS)

svelte is a package for building web applications.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the bind:innerText and bind:textContent bindings on contenteditable elements during server-side rendering. An attacker can execute arbitrary scripts in the context of the application by injecting malicious HTML as the initial value when untrusted data is rendered.

How to fix Cross-site Scripting (XSS)?

Upgrade svelte to version 5.53.5 or higher.

<5.53.5

Cross-site Scripting (XSS)

svelte is a package for building web applications.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the server-side rendering process of the <option> element, which does not properly escape its content. An attacker can inject arbitrary HTML into the SSR output by supplying crafted input.

How to fix Cross-site Scripting (XSS)?

Upgrade svelte to version 5.51.5 or higher.

>=5.39.3 <5.51.5

Cross-site Scripting (XSS)

svelte is a package for building web applications.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the spread syntax when rendering attributes from untrusted data during server-side rendering. An attacker can execute arbitrary JavaScript in the context of a victim's browser by injecting malicious event handler properties through user-controlled or external data.

How to fix Cross-site Scripting (XSS)?

Upgrade svelte to version 5.51.5 or higher.

<5.51.5

Cross-site Scripting (XSS)

svelte is a package for building web applications.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the svelte:element tags. An attacker can inject arbitrary HTML into the server-side rendered output by supplying a crafted tag name.

How to fix Cross-site Scripting (XSS)?

Upgrade svelte to version 5.51.5 or higher.

<5.51.5

Improperly Controlled Modification of Dynamically-Determined Object Attributes

svelte is a package for building web applications.

Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in server-side rendering when attribute spreading is performed on elements. An attacker can inject unexpected attributes or cause errors in the rendered output by polluting the Object.prototype prior to rendering.

Note:

This is only exploitable if the environment's Object.prototype has already been modified before rendering occurs.

How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes?

Upgrade svelte to version 5.51.5 or higher.

<5.51.5

svelte@5.50.2

Cybernetically enhanced web apps

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically