GHSA-F3CJ-J4F6-WQ85: GHSA-f3cj-j4f6-wq85: Server-Side Rendering Cross-Site Scripting in Svelte hy…

1 / 2

GHSA-F3CJ-J4F6-WQ85: GHSA-f3cj-j4f6-wq85: Server-Side Rendering Cross-Site Scripting in Svelte hydratable Promises

DEV Community·CVE Reports·18 days ago

#UDu2QOGe

#svelte5557releasenotes #security #cve #cybersecurity #svelte #hydratable

Reading 0:00

15s threshold

GHSA-f3cj-j4f6-wq85: Server-Side Rendering Cross-Site Scripting in Svelte hydratable Promises Vulnerability ID: GHSA-F3CJ-J4F6-WQ85 CVSS Score: 9.1 Published: 2026-05-14 A critical Cross-Site Scripting (XSS) vulnerability exists in the Server-Side Rendering (SSR) engine of the Svelte framework. The vulnerability occurs due to insecure promise serialization within the experimental hydratable feature. Attackers controlling the output of a resolved promise can inject JavaScript string replacement tokens, causing the SSR engine to duplicate template strings into executable script blocks. TL;DR Svelte versions prior to 5.55.7 contain an XSS vulnerability in the hydratable SSR feature. Attackers can leverage the '$' replacement token in promise values to execute arbitrary JavaScript in the victim's browser.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

GHSA-F3CJ-J4F6-WQ85: GHSA-f3cj-j4f6-wq85: Server-Side Rendering Cross-Site Scripting in Svelte hydratable Promises