DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-GW32-9RMW-QWWW: Svelte SSR XSS: The Textarea Trap

#security #cve #cybersecurity #ghsa

Svelte SSR XSS: The Textarea Trap

Vulnerability ID: GHSA-GW32-9RMW-QWWW
CVSS Score: 8.4
Published: 2026-01-16

A high-severity Cross-Site Scripting (XSS) vulnerability exists in Svelte's Server-Side Rendering (SSR) compiler. Due to improper escaping of bind:value directives on <textarea> elements, attackers can break out of the HTML tag context and execute arbitrary JavaScript.

TL;DR

Svelte's SSR compiler forgot that <textarea> contents are children, not attributes. It didn't escape bind:value content during server-side rendering. Attackers can inject </textarea> to close the tag early and run scripts. Fixed in 3.59.2.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • CVSS Score: 8.4 (High)
  • Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:H/SA:N
  • Attack Vector: Network
  • Vulnerability Type: XSS (Cross-Site Scripting)
  • Affected Component: SSR Compiler (Textarea Handler)

Affected Systems

  • Svelte Framework (SSR Mode)
  • SvelteKit applications using Svelte < 3.59.2
  • svelte: >= 3.0.0 < 3.59.2 (Fixed in: 3.59.2)

Code Analysis

Commit: a31dec5

fix: escape textarea children during SSR

@@ -149,7 +149,7 @@ export default function (node: Element, renderer: Renderer, options: RenderOptio
            // value = name === 'textContent' ? x`@escape($$value)` : x`$$value`;
        } else if (binding.name === 'value' && node.name === 'textarea') {
            const snippet = expression.node;
-           node_contents = x`${snippet} || ""`;
+           node_contents = x`@escape(${snippet} || "")`;
        } else if (binding.name === 'value' && node.name === 'select') {
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Update Svelte to version 3.59.2 or later.
  • Use Svelte 4.0.0+ which includes the fix by default.
  • Avoid using bind:value on textareas with untrusted input in SSR mode if patching is impossible.

Remediation Steps:

  1. Check your package.json for svelte version.
  2. Run npm install svelte@latest or yarn upgrade svelte.
  3. Verify the installed version is >= 3.59.2 using npm list svelte.
  4. Rebuild and redeploy your application to ensure the compiler generates the safe code.

References

Read the full report for GHSA-GW32-9RMW-QWWW on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)