DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-F3CJ-J4F6-WQ85: GHSA-f3cj-j4f6-wq85: Server-Side Rendering Cross-Site Scripting in Svelte hydratable Promises

#security #cve #cybersecurity #ghsa

GHSA-f3cj-j4f6-wq85: Server-Side Rendering Cross-Site Scripting in Svelte hydratable Promises

Vulnerability ID: GHSA-F3CJ-J4F6-WQ85
CVSS Score: 9.1
Published: 2026-05-14

A critical Cross-Site Scripting (XSS) vulnerability exists in the Server-Side Rendering (SSR) engine of the Svelte framework. The vulnerability occurs due to insecure promise serialization within the experimental hydratable feature. Attackers controlling the output of a resolved promise can inject JavaScript string replacement tokens, causing the SSR engine to duplicate template strings into executable script blocks.

TL;DR

Svelte versions prior to 5.55.7 contain an XSS vulnerability in the hydratable SSR feature. Attackers can leverage the '$' replacement token in promise values to execute arbitrary JavaScript in the victim's browser.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS v4.0: 9.1 (Critical)
  • Impact: High Confidentiality, High Integrity (Subsequent System)
  • Exploit Status: PoC Available
  • KEV Status: Not Listed

Affected Systems

  • Svelte SSR Engine
  • Svelte applications utilizing the experimental hydratable feature with untrusted data
  • svelte: >= 5.46.0, < 5.55.7 (Fixed in: 5.55.7)

Code Analysis

Commit: a16ebc6

Fixes XSS vulnerability in hydratable promises by using a function replacer in String.prototype.replace()

Mitigation Strategies

  • Upgrade Svelte to version 5.55.7 or higher.
  • Implement strict input validation against string values containing '$' before they are processed by the hydratable function.
  • Deploy a robust Content Security Policy (CSP) restricting inline script execution.

Remediation Steps:

  1. Identify all Svelte projects within the organization using versions lower than 5.55.7.
  2. Execute npm update svelte@latest or modify package.json to require >=5.55.7.
  3. Run the application test suite to verify the upgrade does not introduce regressions.
  4. Deploy the updated application to staging and production environments.

References

Read the full report for GHSA-F3CJ-J4F6-WQ85 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)