🚨 [security] Update svelte 3.42.1 → 5.53.5 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ svelte (3.42.1 → 5.53.5) · Repo · Changelog

Security Advisories 🚨

🚨 Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`

The contents of bind:innerText and bind:textContent on contenteditable elements were not properly escaped. This could enable HTML injection and Cross-site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server.

🚨 Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers

Errors from transformError were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from transformError.

🚨 Svelte affected by cross-site scripting via spread attributes in Svelte SSR

Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers.

🚨 Svelte affected by XSS in SSR `` element

In certain circumstances, the server-side rendering output of an <option> element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected.

🚨 Svelte SSR does not validate dynamic element tag names in ``

When using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected.

🚨 Svelte SSR attribute spreading includes inherited properties from prototype chain

In server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected.

🚨 svelte is vulnerable to XSS with textarea bind:value

Summary

A server-side rendered <textarea> with two-way bound value does not have its value correctly escaped in the rendered HTML.

Details

In SSR, <textarea bind:value={...}> does not have its value escaped when it is rendered into the HTML as <textarea>...</textarea>.

PoC

Put this in a server-side-rendered Svelte component:

<script>
  let value = `test'"></textarea><script` + `>alert('BIM');</sc` + `ript>`;
</script>
<textarea bind:value />

Impact

• Only affects SSR
• Needs a <textarea bind:value> filled by user content via two-way binding

🚨 svelte vulnerable to Cross-site Scripting

Summary

An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of hydratable keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML.

Details

When using the hydratable function, the first argument is used as a key to uniquely identify the data, such that the value is not regenerated in the browser.

This key is embedded into a <script> block in the server-rendered <head> without escaping unsafe characters. A malicious key can break out of the script context and inject arbitrary JavaScript into the HTML response.

Impact

This is a cross-site scripting vulnerability affecting applications that have the experimental.async flag enabled and use hydratable with keys incorporating untrusted user input.

• Impact: Arbitrary JS execution in the client’s browser.
• Exploitability: Remote, single-request if key is attacker-controlled.
• Typical Outcomes:
  • Session/token theft
  • DOM defacement
  • CSRF bypass via injected JS
  • Account takeover depending on cookie/session strategy

Affected applications should upgrade to a patched version immediately.

🚨 Svelte has a potential mXSS vulnerability due to improper HTML escaping

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

• If the string is an attribute value:
  • " -> "
  • & -> &
  • Other characters -> No conversion
• Otherwise:
  • < -> <
  • & -> &
  • Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"
// user input

let href = $page.url.searchParams.get("href") ?? "https://example.com";

</script>
<noscript>

<a href={href}>test</a>

</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

🚨 Svelte vulnerable to XSS when using objects during server-side rendering

The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.

Release Notes

Too many releases to show here. View the full release notes.

🆕 @​jridgewell/gen-mapping (added, 0.3.13)

🆕 @​jridgewell/remapping (added, 2.3.5)

🆕 @​jridgewell/resolve-uri (added, 3.1.2)

🆕 @​jridgewell/sourcemap-codec (added, 1.5.5)

🆕 @​jridgewell/trace-mapping (added, 0.3.31)

🆕 @​sveltejs/acorn-typescript (added, 1.0.9)

🆕 @​types/trusted-types (added, 2.0.7)

🆕 aria-query (added, 5.3.1)

🆕 axobject-query (added, 4.1.0)

🆕 clsx (added, 2.1.1)

🆕 devalue (added, 5.6.3)

🆕 esm-env (added, 1.2.2)

🆕 esrap (added, 2.2.3)

🆕 locate-character (added, 3.0.0)

🆕 zimmerframe (added, 1.1.4)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)