Headline
GHSA-wv8q-r932-8hc7: Svelte cross-site scripting prior to 3.49.0 due to when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2022-25875
Svelte cross-site scripting prior to 3.49.0 due to when using objects during server-side rendering
Moderate severity GitHub Reviewed Published Jul 13, 2022 • Updated Jul 15, 2022
We are still processing this advisory. You may have affected repositories that are not yet on this list. Check back soon for more.
Affected versions
< 3.49.0
Description
Related news
The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.