Homepage

svelte@5.55.6

Cybernetically enhanced web apps

  • latest version

    5.55.9

  • latest non vulnerable version

    5.55.9

  • first published

    9 years ago

  • latest version published

    4 days ago

  • licenses detected

  • View svelte package health on Snyk  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the svelte package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Regular Expression Denial of Service (ReDoS)

    svelte is a package for building web applications.

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) through the svelte:element tag validation process. An attacker can cause significant performance degradation by supplying specially crafted tag names of unconstrained length, leading to excessive processing time in the internal regular expression.

    Note:

    This is only exploitable if user-supplied tag names are not restricted in length or validated against a predetermined list.

    How to fix Regular Expression Denial of Service (ReDoS)?

    Upgrade svelte to version 5.55.7 or higher.

    >=5.51.5 <5.55.7
    • M
    Cross-site Scripting (XSS)

    svelte is a package for building web applications.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the rendering of attributes using spread syntax from untrusted data, which includes event handler properties in the HTML output. An attacker can execute arbitrary JavaScript code in the victim's browser by injecting malicious event handlers through user-controlled or external data.

    Note:

    This is only exploitable if the user's browser has JavaScript enabled and the hydration mechanism does not reach the vulnerable element before the event fires.

    How to fix Cross-site Scripting (XSS)?

    Upgrade svelte to version 5.55.7 or higher.

    <5.55.7
    • M
    Cross-site Scripting (XSS)

    svelte is a package for building web applications.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via improper serialization of hydratable promises. An attacker can execute arbitrary scripts in the context of the affected application by supplying specially crafted input that is hydrated first as a synchronous value and then as a promise value.

    Note:

    This is only exploitable if the experimental hydratable feature is enabled and attacker-controlled input is passed in such a way that a synchronous value is hydrated before a promise value.

    How to fix Cross-site Scripting (XSS)?

    Upgrade svelte to version 5.55.7 or higher.

    >=5.46.0 <5.55.7
    • M
    Cross-site Scripting (XSS)

    svelte is a package for building web applications.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the handling of attribute spreading and dynamic name attributes within form elements. An attacker can inject malicious scripts by manipulating both the spread attributes on a form element and the dynamic or spread attributes on an input or button element inside that form, when both are user-controllable.

    Note:

    This is only exploitable if attribute spreading is used on a form element and, within that form, attribute spreading or a dynamic value is allowed for the name attribute on an input or button element, with both being simultaneously user-controllable.

    How to fix Cross-site Scripting (XSS)?

    Upgrade svelte to version 5.55.7 or higher.

    <5.55.7
    Go back to all versions of this package