GHSA-6738-r8g5-qwp3

Summary

An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of hydratable keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML.

Details

When using the <code>hydratable</code> function, the first argument is used as a key to uniquely identify the data, such that the value is not regenerated in the browser.

This key is embedded into a <script> block in the server-rendered <head> without escaping unsafe characters. A malicious key can break out of the script context and inject arbitrary JavaScript into the HTML response.

Impact

This is a cross-site scripting vulnerability affecting applications that have the experimental.async flag enabled and use hydratable with keys incorporating untrusted user input.

• Impact: Arbitrary JS execution in the client’s browser.
• Exploitability: Remote, single-request if key is attacker-controlled.
• Typical Outcomes:
  • Session/token theft
  • DOM defacement
  • CSRF bypass via injected JS
  • Account takeover depending on cookie/session strategy

Affected applications should upgrade to a patched version immediately.