DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27902: Svelte 5 SSR XSS: When JSON Met HTML Comments

#security #cve #cybersecurity

Svelte 5 SSR XSS: When JSON Met HTML Comments

Vulnerability ID: CVE-2026-27902
CVSS Score: 5.3
Published: 2026-02-26

A Cross-Site Scripting (XSS) vulnerability exists in Svelte 5 versions prior to 5.53.5. The flaw occurs during Server-Side Rendering (SSR) when the framework attempts to serialize error objects into HTML comments for client-side hydration. Because the serialization process relied solely on JSON.stringify() without escaping HTML comment delimiters, an attacker can inject a closing comment tag (-->) to break out of the comment context and execute arbitrary JavaScript in the victim's browser.

TL;DR

Svelte 5's SSR error handling failed to escape --> sequences when serializing errors into HTML comments. Attackers can trigger an error containing malicious payloads to break out of the comment and execute XSS. Fixed in 5.53.5.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS Score: 5.3 (Medium)
  • Impact: Cross-Site Scripting (XSS)
  • Exploit Status: Proof of Concept (PoC) Available
  • Patch Status: Fixed in 5.53.5

Affected Systems

  • Svelte Framework (npm package: svelte)
  • Svelte: >= 5.53.0, < 5.53.5 (Fixed in: 5.53.5)

Code Analysis

Commit: 0298e97

fix: escape error content when serializing failed boundary

- child.#out.push(`<!--${HYDRATION_START_FAILED}${JSON.stringify(transformed)}-->`);
+ child.#out.push(Renderer.#serialize_failed_boundary(transformed));
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Functional test cases in the fix commit demonstrate the PoC payload.

Mitigation Strategies

  • Upgrade Svelte to version 5.53.5 or later.
  • Implement Content Security Policy (CSP) to restrict inline script execution.
  • Sanitize user input used in error messages if upgrading is not possible.

Remediation Steps:

  1. Open your project's package.json.
  2. Locate the svelte dependency.
  3. Change the version to ^5.53.5.
  4. Run npm install, pnpm install, or yarn install to apply the update.
  5. Verify the installed version using npm list svelte.

References

Read the full report for CVE-2026-27902 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)