{"vulnerability": "GHSA-F3CJ-J4F6-WQ85", "sightings": [{"uuid": "5cf5b7a1-9ac7-4a63-a530-b12a0637e03b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-F3CJ-J4F6-WQ85", "type": "seen", "source": "https://gist.github.com/alon710/aa885c0fd60e9933dfca974f0bf10618", "content": "# GHSA-F3CJ-J4F6-WQ85: GHSA-f3cj-j4f6-wq85: Server-Side Rendering Cross-Site Scripting in Svelte hydratable Promises\n\n> **CVSS Score:** 9.1\n> **Published:** 2026-05-14\n> **Full Report:** https://cvereports.com/reports/GHSA-F3CJ-J4F6-WQ85\n\n## Summary\nA critical Cross-Site Scripting (XSS) vulnerability exists in the Server-Side Rendering (SSR) engine of the Svelte framework. The vulnerability occurs due to insecure promise serialization within the experimental `hydratable` feature. Attackers controlling the output of a resolved promise can inject JavaScript string replacement tokens, causing the SSR engine to duplicate template strings into executable script blocks.\n\n## TL;DR\nSvelte versions prior to 5.55.7 contain an XSS vulnerability in the `hydratable` SSR feature. Attackers can leverage the '$' replacement token in promise values to execute arbitrary JavaScript in the victim's browser.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-79\n- **Attack Vector**: Network\n- **CVSS v4.0**: 9.1 (Critical)\n- **Impact**: High Confidentiality, High Integrity (Subsequent System)\n- **Exploit Status**: PoC Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Svelte SSR Engine\n- Svelte applications utilizing the experimental `hydratable` feature with untrusted data\n- **svelte**: >= 5.46.0, < 5.55.7 (Fixed in: `5.55.7`)\n\n## Mitigation\n\n- Upgrade Svelte to version 5.55.7 or higher.\n- Implement strict input validation against string values containing '$' before they are processed by the hydratable function.\n- Deploy a robust Content Security Policy (CSP) restricting inline script execution.\n\n**Remediation Steps:**\n1. Identify all Svelte projects within the organization using versions lower than 5.55.7.\n2. Execute `npm update svelte@latest` or modify `package.json` to require `>=5.55.7`.\n3. Run the application test suite to verify the upgrade does not introduce regressions.\n4. Deploy the updated application to staging and production environments.\n\n## References\n\n- [GitHub Security Advisory GHSA-f3cj-j4f6-wq85](https://github.com/sveltejs/svelte/security/advisories/GHSA-f3cj-j4f6-wq85)\n- [Svelte Patch Commit](https://github.com/sveltejs/svelte/commit/a16ebc67bbcf8f708360195687e1b2719463e1a4)\n- [Svelte 5.55.7 Release Notes](http://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7)\n- [OSV Vulnerability Record](https://osv.dev/vulnerability/GHSA-f3cj-j4f6-wq85)\n- [MDN Documentation: String.prototype.replace()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/replace#specifying_a_string_as_the_replacement)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-F3CJ-J4F6-WQ85) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-15T08:40:29.000000Z"}]}