CVE-2026-42567: Svelte: ReDoS in `<svelte:element>` Tag Validation

May 14, 2026 (updated June 9, 2026)

An internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. You are only vulnerable to this if you allow tags of unconstrained length. If your application only allows a predetermined list of tags or trims their length before passing them to svelte:element, you are safe.

References

github.com/advisories/GHSA-9rmh-mm8f-r9h6
github.com/sveltejs/svelte/releases/tag/svelte%405.55.7
github.com/sveltejs/svelte/security/advisories/GHSA-9rmh-mm8f-r9h6
nvd.nist.gov/vuln/detail/CVE-2026-42567

Code Behaviors & Features

Detect and mitigate CVE-2026-42567 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →