GHSA-pr6f-5x2q-rwfp
Cross-Site Scripting (XSS) vulnerability in svelte (npm)

Cross-Site Scripting (XSS) No known exploit

What is GHSA-pr6f-5x2q-rwfp About?

This vulnerability enables Cross-Site Scripting (XSS) when Svelte applications render attributes from untrusted data using spread syntax. An attacker can inject malicious event handlers into the HTML output, which then execute in victims' browsers if JavaScript is enabled but Svelte's hydration doesn't occur before the event fires. This vulnerability is moderately easy to exploit if user-controlled data is spread directly into attributes.

Affected Software

svelte <5.55.7

Technical Details

When a Svelte application utilizes spread syntax ({...props}) to render attributes from untrusted data, specifically event handler properties (e.g., onclick, onsubmit), these properties are directly incorporated into the rendered HTML output. If an attacker can control data that is spread as element attributes, they can inject malicious JavaScript code via these event handlers. This injected code will execute in a victim's browser if the following conditions are met: the user's browser has JavaScript enabled, and crucially, Svelte's client-side hydration mechanism does not fully process or 'hydrate' the vulnerable element before the injected event handler is triggered by user interaction or other means.

What is the Impact of GHSA-pr6f-5x2q-rwfp?

Successful exploitation may allow attackers to execute arbitrary script code in the context of the victim's browser, leading to session hijacking, defacement, sensitive data disclosure, or redirection to malicious sites.

What is the Exploitability of GHSA-pr6f-5x2q-rwfp?

Exploitation complexity is moderate, requiring a thorough understanding of Svelte's rendering and hydration lifecycle, along with web frontend attack techniques. No specific authentication is required, as the attack typically involves tricking a victim into interacting with a malicious page or content. Privilege requirements are limited to what a typical web user has. This is a client-side, remote vulnerability, often delivered via malicious content on a trusted website. Special conditions include the user's browser having JavaScript enabled and the specific timing where Svelte's hydration mechanism doesn't intercept the event before the injected handler fires. The risk factors increase significantly if applications spread user-controlled or external data directly into HTML attributes without proper sanitization.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for GHSA-pr6f-5x2q-rwfp?

Available Upgrade Options

  • svelte
    • <5.55.7 → Upgrade to 5.55.7

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to GHSA-pr6f-5x2q-rwfp?

Similar Vulnerabilities: CVE-2026-27121 , CVE-2023-38507 , CVE-2022-38531 , CVE-2021-23395 , CVE-2020-28287

All Rights reserved 2025
Privacy Policy