Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS04MjY2LTg0d3Atd3Y1Y84AA_Dj

Moderate CVSS: 5.1 EPSS: 0.00113% (0.30946 Percentile) EPSS:
Permalink JSON

Svelte has a potential mXSS vulnerability due to improper HTML escaping

Affected Packages Affected Versions Fixed Versions
npm:svelte < 4.2.19 4.2.19
8,815 Dependent packages
56,439 Dependent repositories
7,230,385 Downloads last month

Affected Version Ranges

All affected versions

0.0.1, 0.0.2, 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.12.0, 1.12.1, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.13.7, 1.14.0, 1.14.1, 1.15.0, 1.15.1, 1.16.0, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.18.1, 1.18.2, 1.19.0, 1.19.1, 1.20.0, 1.20.1, 1.20.2, 1.21.0, 1.22.0, 1.22.1, 1.22.2, 1.22.3, 1.22.4, 1.22.5, 1.23.0, 1.23.1, 1.23.2, 1.23.3, 1.23.4, 1.24.0, 1.25.0, 1.25.1, 1.26.0, 1.26.1, 1.26.2, 1.27.0, 1.28.0, 1.28.1, 1.29.0, 1.29.1, 1.29.2, 1.29.3, 1.30.0, 1.31.0, 1.32.0, 1.33.0, 1.34.0, 1.35.0, 1.36.0, 1.37.0, 1.38.0, 1.39.0, 1.39.1, 1.39.2, 1.39.3, 1.39.4, 1.40.0, 1.40.1, 1.40.2, 1.41.0, 1.41.1, 1.41.2, 1.41.3, 1.41.4, 1.42.0, 1.42.1, 1.43.0, 1.43.1, 1.44.0, 1.44.1, 1.44.2, 1.45.0, 1.46.0, 1.46.1, 1.47.0, 1.47.1, 1.47.2, 1.48.0, 1.49.0, 1.49.1, 1.49.2, 1.49.3, 1.50.0, 1.50.1, 1.51.0, 1.51.1, 1.52.0, 1.53.0, 1.54.0, 1.54.1, 1.54.2, 1.55.0, 1.55.1, 1.56.0, 1.56.1, 1.56.2, 1.56.3, 1.56.4, 1.57.0, 1.57.1, 1.57.2, 1.57.3, 1.57.4, 1.58.0, 1.58.1, 1.58.2, 1.58.3, 1.58.4, 1.58.5, 1.59.0, 1.60.0, 1.60.1, 1.60.2, 1.60.3, 1.61.0, 1.62.0, 1.63.0, 1.63.1, 1.64.0, 1.64.1, 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.7.0, 2.7.1, 2.7.2, 2.8.0, 2.8.1, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.9.11, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.16.0, 2.16.1, 3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.6.10, 3.6.11, 3.7.0, 3.7.1, 3.8.0, 3.8.1, 3.9.0, 3.9.1, 3.9.2, 3.10.0, 3.10.1, 3.11.0, 3.12.0, 3.12.1, 3.13.0, 3.14.0, 3.14.1, 3.15.0, 3.16.0, 3.16.1, 3.16.2, 3.16.3, 3.16.4, 3.16.5, 3.16.6, 3.16.7, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.18.0, 3.18.1, 3.18.2, 3.19.0, 3.19.1, 3.19.2, 3.20.0, 3.20.1, 3.21.0, 3.22.0, 3.22.1, 3.22.2, 3.22.3, 3.23.0, 3.23.1, 3.23.2, 3.24.0, 3.24.1, 3.25.0, 3.25.1, 3.26.0, 3.27.0, 3.28.0, 3.29.0, 3.29.1, 3.29.2, 3.29.3, 3.29.4, 3.29.5, 3.29.6, 3.29.7, 3.30.0, 3.30.1, 3.31.0, 3.31.1, 3.31.2, 3.32.0, 3.32.1, 3.32.2, 3.32.3, 3.33.0, 3.34.0, 3.35.0, 3.36.0, 3.37.0, 3.38.0, 3.38.1, 3.38.2, 3.38.3, 3.39.0, 3.40.0, 3.40.1, 3.40.2, 3.40.3, 3.41.0, 3.42.0, 3.42.1, 3.42.2, 3.42.3, 3.42.4, 3.42.5, 3.42.6, 3.43.0, 3.43.1, 3.43.2, 3.44.0, 3.44.1, 3.44.2, 3.44.3, 3.45.0, 3.46.0, 3.46.1, 3.46.2, 3.46.3, 3.46.4, 3.46.5, 3.46.6, 3.47.0, 3.48.0, 3.49.0, 3.50.0, 3.50.1, 3.51.0, 3.52.0, 3.53.0, 3.53.1, 3.54.0, 3.55.0, 3.55.1, 3.56.0, 3.57.0, 3.58.0, 3.59.0, 3.59.1, 3.59.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.2.13, 4.2.14, 4.2.15, 4.2.16, 4.2.17, 4.2.18

All unaffected versions

4.2.19, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1.10, 5.1.11, 5.1.12, 5.1.13, 5.1.14, 5.1.15, 5.1.16, 5.1.17, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.2.10, 5.2.11

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

  • If the string is an attribute value:
    • " -> &quot;
    • & -> &amp;
    • Other characters -> No conversion
  • Otherwise:
    • < -> &lt;
    • & -> &amp;
    • Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

References:

Identifiers

GHSA-8266-84wp-wv5c

CVE-2024-45047

Risk

Severity

Moderate

CVSS

CVSS Score: 5.1

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS

EPSS Percentage: 0.00113

EPSS Percentile: 0.30946

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/sveltejs/svelte

Date and time

Published

11 months ago

Updated

11 months ago

API

JSON