Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS13djhxLXI5MzItOGhjN84AAtWH

Moderate EPSS: 0.00815% (0.73354 Percentile) EPSS:
Permalink JSON

Svelte vulnerable to XSS when using objects during server-side rendering

Affected Packages Affected Versions Fixed Versions
npm:svelte < 3.49.0 3.49.0
8,815 Dependent packages
56,439 Dependent repositories
7,230,385 Downloads last month

Affected Version Ranges

All affected versions

0.0.1, 0.0.2, 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.12.0, 1.12.1, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.13.7, 1.14.0, 1.14.1, 1.15.0, 1.15.1, 1.16.0, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.18.1, 1.18.2, 1.19.0, 1.19.1, 1.20.0, 1.20.1, 1.20.2, 1.21.0, 1.22.0, 1.22.1, 1.22.2, 1.22.3, 1.22.4, 1.22.5, 1.23.0, 1.23.1, 1.23.2, 1.23.3, 1.23.4, 1.24.0, 1.25.0, 1.25.1, 1.26.0, 1.26.1, 1.26.2, 1.27.0, 1.28.0, 1.28.1, 1.29.0, 1.29.1, 1.29.2, 1.29.3, 1.30.0, 1.31.0, 1.32.0, 1.33.0, 1.34.0, 1.35.0, 1.36.0, 1.37.0, 1.38.0, 1.39.0, 1.39.1, 1.39.2, 1.39.3, 1.39.4, 1.40.0, 1.40.1, 1.40.2, 1.41.0, 1.41.1, 1.41.2, 1.41.3, 1.41.4, 1.42.0, 1.42.1, 1.43.0, 1.43.1, 1.44.0, 1.44.1, 1.44.2, 1.45.0, 1.46.0, 1.46.1, 1.47.0, 1.47.1, 1.47.2, 1.48.0, 1.49.0, 1.49.1, 1.49.2, 1.49.3, 1.50.0, 1.50.1, 1.51.0, 1.51.1, 1.52.0, 1.53.0, 1.54.0, 1.54.1, 1.54.2, 1.55.0, 1.55.1, 1.56.0, 1.56.1, 1.56.2, 1.56.3, 1.56.4, 1.57.0, 1.57.1, 1.57.2, 1.57.3, 1.57.4, 1.58.0, 1.58.1, 1.58.2, 1.58.3, 1.58.4, 1.58.5, 1.59.0, 1.60.0, 1.60.1, 1.60.2, 1.60.3, 1.61.0, 1.62.0, 1.63.0, 1.63.1, 1.64.0, 1.64.1, 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.7.0, 2.7.1, 2.7.2, 2.8.0, 2.8.1, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.9.11, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.16.0, 2.16.1, 3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.6.10, 3.6.11, 3.7.0, 3.7.1, 3.8.0, 3.8.1, 3.9.0, 3.9.1, 3.9.2, 3.10.0, 3.10.1, 3.11.0, 3.12.0, 3.12.1, 3.13.0, 3.14.0, 3.14.1, 3.15.0, 3.16.0, 3.16.1, 3.16.2, 3.16.3, 3.16.4, 3.16.5, 3.16.6, 3.16.7, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.18.0, 3.18.1, 3.18.2, 3.19.0, 3.19.1, 3.19.2, 3.20.0, 3.20.1, 3.21.0, 3.22.0, 3.22.1, 3.22.2, 3.22.3, 3.23.0, 3.23.1, 3.23.2, 3.24.0, 3.24.1, 3.25.0, 3.25.1, 3.26.0, 3.27.0, 3.28.0, 3.29.0, 3.29.1, 3.29.2, 3.29.3, 3.29.4, 3.29.5, 3.29.6, 3.29.7, 3.30.0, 3.30.1, 3.31.0, 3.31.1, 3.31.2, 3.32.0, 3.32.1, 3.32.2, 3.32.3, 3.33.0, 3.34.0, 3.35.0, 3.36.0, 3.37.0, 3.38.0, 3.38.1, 3.38.2, 3.38.3, 3.39.0, 3.40.0, 3.40.1, 3.40.2, 3.40.3, 3.41.0, 3.42.0, 3.42.1, 3.42.2, 3.42.3, 3.42.4, 3.42.5, 3.42.6, 3.43.0, 3.43.1, 3.43.2, 3.44.0, 3.44.1, 3.44.2, 3.44.3, 3.45.0, 3.46.0, 3.46.1, 3.46.2, 3.46.3, 3.46.4, 3.46.5, 3.46.6, 3.47.0, 3.48.0

All unaffected versions

3.49.0, 3.50.0, 3.50.1, 3.51.0, 3.52.0, 3.53.0, 3.53.1, 3.54.0, 3.55.0, 3.55.1, 3.56.0, 3.57.0, 3.58.0, 3.59.0, 3.59.1, 3.59.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.2.13, 4.2.14, 4.2.15, 4.2.16, 4.2.17, 4.2.18, 4.2.19, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1.10, 5.1.11, 5.1.12, 5.1.13, 5.1.14, 5.1.15, 5.1.16, 5.1.17, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.2.10, 5.2.11

The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.

References:

Identifiers

GHSA-wv8q-r932-8hc7

CVE-2022-25875

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00815

EPSS Percentile: 0.73354

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/sveltejs/svelte

Date and time

Published

about 3 years ago

Updated

almost 2 years ago

API

JSON