GHSA-f3cj-j4f6-wq85: Svelte: SSR XSS via Insecure Promise Serialization in hydratable

May 14, 2026

Contents of hydratable promises were not properly stringified, potentially leading to an XSS exploit. You are vulnerable if all of the following is true:

you are using hydratable (an experimental feature at the time of this report)
you are passing attacker-controlled input such that a synchronous value is hydrated, then a promise value, e.g. hydratable('someKey', () => [synchronousValue, promiseValue])

References

github.com/advisories/GHSA-f3cj-j4f6-wq85
github.com/sveltejs/svelte/commit/a16ebc67bbcf8f708360195687e1b2719463e1a4
github.com/sveltejs/svelte/security/advisories/GHSA-f3cj-j4f6-wq85

Code Behaviors & Features

Detect and mitigate GHSA-f3cj-j4f6-wq85 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →