Skip to content

chore(deps): update dependency svelte to v5.55.7 [security]#128

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-svelte-vulnerability
Open

chore(deps): update dependency svelte to v5.55.7 [security]#128
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-svelte-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Jan 15, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
svelte (source) 5.55.05.55.7 age confidence
svelte (source) 5.2.85.55.7 age confidence

Svelte affected by cross-site scripting via spread attributes in Svelte SSR

CVE-2026-27121 / GHSA-f7gr-6p89-r883

More information

Details

Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers.

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Svelte SSR does not validate dynamic element tag names in <svelte:element>

CVE-2026-27122 / GHSA-m56q-vw4c-c2cp

More information

Details

When using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected.

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Svelte SSR attribute spreading includes inherited properties from prototype chain

CVE-2026-27125 / GHSA-crpf-4hrx-3jrp

More information

Details

In server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Svelte vulnerable to XSS during SSR with contenteditable bind:innerText and bind:textContent

CVE-2026-27901 / GHSA-phwv-c562-gvmh

More information

Details

The contents of bind:innerText and bind:textContent on contenteditable elements were not properly escaped. This could enable HTML injection and Cross-site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Svelte: ReDoS in <svelte:element> Tag Validation

CVE-2026-42567 / GHSA-9rmh-mm8f-r9h6

More information

Details

An internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. You are only vulnerable to this if you allow tags of unconstrained length. If your application only allows a predetermined list of tags or trims their length before passing them to svelte:element, you are safe.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Svelte: SSR XSS via Insecure Promise Serialization in hydratable

GHSA-f3cj-j4f6-wq85

More information

Details

Contents of hydratable promises were not properly stringified, potentially leading to an XSS exploit. You are vulnerable if all of the following is true:

  • you are using hydratable (an experimental feature at the time of this report)
  • you are passing attacker-controlled input such that a synchronous value is hydrated, then a promise value, e.g. hydratable('someKey', () => [synchronousValue, promiseValue])

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Svelte SSR vulnerable to cross-site scripting via spread attributes

CVE-2026-42599 / GHSA-pr6f-5x2q-rwfp

More information

Details

When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. Note that this vulnerability only triggers if the user's browser has JavaScript enabled but Svelte's hydration mechanism does not reach the vulnerable element before the event fires.

This is similar to but different from CVE-2026-27121.

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State

CVE-2026-42573 / GHSA-rcqx-6q8c-2c42

More information

Details

Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks.

You are vulnerable if all of the following is true:

  • you are using attribute spreading on a form element
  • you are using attribute spreading or allow a dynamic value for the name attribute on an input or button element within that form
  • both of these are simultaneously user-controllable
<form {...spread1}>
  <input {...spread2}>
</form>

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

sveltejs/svelte (svelte)

v5.55.7

Compare Source

Patch Changes

v5.55.6

Compare Source

Patch Changes

  • fix: leave stale promises to wait for a later resolution, instead of rejecting (#​18180)

  • fix: keep dependencies of $state.eager/pending (#​18218)

  • fix: reapply context after transforming error during SSR (#​18099)

  • fix: don't rebase just-created batches (#​18117)

  • chore: allow null for pending in typings (#​18201)

  • fix: flush eager effects in production (#​18107)

  • fix: rethrow error of failed iterable after calling return() (#​18169)

  • fix: account for proxified instance when updating bind:this (#​18147)

  • fix: ensure scheduled batch is flushed if not obsolete (#​18131)

  • fix: resolve stale deriveds with latest value (#​18167)

  • chore: remove unnecessary increment_pending calls (#​18183)

  • fix: correctly compile component member expressions for SSR (#​18192)

  • fix: reset source.updated stack traces after flush (#​18196)

  • fix: replacing async 'blocking' strategy with 'merging' (#​18205)

  • fix: allow @debug tags to reference awaited variables (#​18138)

  • fix: re-run fallback props if dependencies update (#​18146)

  • fix: abort running obsolete async branches (#​18118)

  • fix: ignore comments when reading CSS values (#​18153)

  • fix: wrap Promise.all in save during SSR (#​18178)

  • fix: ignore false-positive errors of $inspect dependencies (#​18106)

v5.55.5

Compare Source

Patch Changes

  • fix: don't mark deriveds while an effect is updating (#​18124)

  • fix: do not dispatch introstart event with animation of animate directive (#​18122)

v5.55.4

Compare Source

Patch Changes

  • fix: never mark a child effect root as inert (#​18111)

  • fix: reset context after waiting on blockers of @const expressions (#​18100)

  • fix: keep flushing new eager effects (#​18102)

v5.55.3

Compare Source

Patch Changes

  • fix: ensure proper HMR updates for dynamic components (#​18079)

  • fix: correctly calculate @const blockers (#​18039)

  • fix: freeze deriveds once their containing effects are destroyed (#​17921)

  • fix: defer error boundary rendering in forks (#​18076)

  • fix: avoid false positives for reactivity loss warning (#​18088)

v5.55.2

Compare Source

Patch Changes

  • fix: invalidate @const tags based on visible references in legacy mode (#​18041)

  • fix: handle parens in template expressions more robustly (#​18075)

  • fix: disallow -- in idPrefix (#​18038)

  • fix: correct types for ontoggle on <details> elements (#​18063)

  • fix: don't override $destroy/set/on instance methods in dev mode (#​18034)

  • fix: unskip branches of earlier batches after commit (#​18048)

  • fix: never set derived.v inside fork (#​18037)

  • fix: skip rebase logic in non-async mode (#​18040)

  • fix: don't reset status of uninitialized deriveds (#​18054)

v5.55.1

Compare Source

Patch Changes

  • fix: correctly handle bindings on the server (#​18009)

  • fix: prevent hydration error on async {@&#8203;html ...} (#​17999)

  • fix: cleanup superTypeParameters in ClassDeclarations/ClassExpression (#​18015)

  • fix: improve duplicate module import error message (#​18016)

  • fix: reschedule new effects in prior batches (#​18021)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 3 times, most recently from 7a1608f to 578337b Compare January 23, 2026 18:28
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch from 578337b to 6eafc24 Compare February 1, 2026 07:16
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 12 times, most recently from 2464ac7 to 3194d0b Compare February 15, 2026 11:10
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch from 3194d0b to 2744932 Compare February 22, 2026 12:55
@renovate renovate Bot changed the title chore(deps): update dependency svelte to v5.46.4 [security] chore(deps): update dependency svelte to v5.51.5 [security] Feb 22, 2026
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch from 2744932 to 0e45ba4 Compare March 1, 2026 06:39
@renovate renovate Bot changed the title chore(deps): update dependency svelte to v5.51.5 [security] chore(deps): update dependency svelte to v5.53.5 [security] Mar 1, 2026
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 3 times, most recently from faff449 to 087a5c4 Compare March 3, 2026 20:34
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 3 times, most recently from 1ecdc43 to 60f6955 Compare March 17, 2026 18:17
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 2 times, most recently from c255583 to ff6631a Compare March 19, 2026 15:24
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 2 times, most recently from 288bdd5 to 92f39c5 Compare April 3, 2026 22:40
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 2 times, most recently from a5992f2 to 9feaea1 Compare April 10, 2026 20:57
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 4 times, most recently from eec4efd to 6a39e7b Compare April 19, 2026 05:16
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 3 times, most recently from c9540ac to ab2e13f Compare May 1, 2026 01:25
@renovate renovate Bot changed the title chore(deps): update dependency svelte to v5.53.5 [security] chore(deps): update dependency svelte to ^5.53.5 [security] May 1, 2026
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 4 times, most recently from cb301da to 0be26b3 Compare May 3, 2026 00:57
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 2 times, most recently from 2bad126 to 082264a Compare May 15, 2026 01:01
@renovate renovate Bot changed the title chore(deps): update dependency svelte to ^5.53.5 [security] chore(deps): update dependency svelte to v5.55.7 [security] May 15, 2026
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 5 times, most recently from aa9b749 to e28f5a6 Compare May 18, 2026 21:35
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch from e28f5a6 to 8652a84 Compare May 20, 2026 05:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants