CVE-2025-15265: svelte vulnerable to Cross-site Scripting
An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of hydratable keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML.
References
- github.com/advisories/GHSA-6738-r8g5-qwp3
- github.com/sveltejs/svelte
- github.com/sveltejs/svelte/commit/ef81048e238844b729942441541d6dcfe6c8ccca
- github.com/sveltejs/svelte/releases/tag/svelte%405.46.4
- github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3
- nvd.nist.gov/vuln/detail/CVE-2025-15265
Code Behaviors & Features
Detect and mitigate CVE-2025-15265 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →