svelte 5.51.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the svelte package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the server-side rendering process of the `<option>` element, which does not properly escape its content. An attacker can inject arbitrary HTML into the SSR output by supplying crafted input. How to fix Cross-site Scripting (XSS)? Upgrade `svelte` to version 5.51.5 or higher.	>=5.39.3 <5.51.5
M Cross-site Scripting (XSS) svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the spread syntax when rendering attributes from untrusted data during server-side rendering. An attacker can execute arbitrary JavaScript in the context of a victim's browser by injecting malicious event handler properties through user-controlled or external data. How to fix Cross-site Scripting (XSS)? Upgrade `svelte` to version 5.51.5 or higher.	<5.51.5
M Cross-site Scripting (XSS) svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `svelte:element` tags. An attacker can inject arbitrary HTML into the server-side rendered output by supplying a crafted tag name. How to fix Cross-site Scripting (XSS)? Upgrade `svelte` to version 5.51.5 or higher.	<5.51.5
M Improperly Controlled Modification of Dynamically-Determined Object Attributes svelte is a package for building web applications. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in server-side rendering when attribute spreading is performed on elements. An attacker can inject unexpected attributes or cause errors in the rendered output by polluting the `Object.prototype` prior to rendering. Note: This is only exploitable if the environment's `Object.prototype` has already been modified before rendering occurs. How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes? Upgrade `svelte` to version 5.51.5 or higher.	<5.51.5

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

svelte is a package for building web applications.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the server-side rendering process of the <option> element, which does not properly escape its content. An attacker can inject arbitrary HTML into the SSR output by supplying crafted input.

How to fix Cross-site Scripting (XSS)?

Upgrade svelte to version 5.51.5 or higher.

>=5.39.3 <5.51.5

Cross-site Scripting (XSS)

svelte is a package for building web applications.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the spread syntax when rendering attributes from untrusted data during server-side rendering. An attacker can execute arbitrary JavaScript in the context of a victim's browser by injecting malicious event handler properties through user-controlled or external data.

How to fix Cross-site Scripting (XSS)?

Upgrade svelte to version 5.51.5 or higher.

<5.51.5

Cross-site Scripting (XSS)

svelte is a package for building web applications.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the svelte:element tags. An attacker can inject arbitrary HTML into the server-side rendered output by supplying a crafted tag name.

How to fix Cross-site Scripting (XSS)?

Upgrade svelte to version 5.51.5 or higher.

<5.51.5

Improperly Controlled Modification of Dynamically-Determined Object Attributes

svelte is a package for building web applications.

Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in server-side rendering when attribute spreading is performed on elements. An attacker can inject unexpected attributes or cause errors in the rendered output by polluting the Object.prototype prior to rendering.

Note:

This is only exploitable if the environment's Object.prototype has already been modified before rendering occurs.

How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes?

Upgrade svelte to version 5.51.5 or higher.

<5.51.5

svelte@5.51.2 vulnerabilities

Cybernetically enhanced web apps

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically