Skip to main content

Svelte CVE-2026-42567

| EUVDEUVD-2026-35702 MEDIUM
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-05-14 https://github.com/sveltejs/svelte GHSA-9rmh-mm8f-r9h6
5.9
CVSS 4.0 · Vendor: https://github.com/sveltejs/svelte
Share

Severity by source

Vendor (https://github.com/sveltejs/svelte) PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
5.9 MEDIUM
qualitative

Primary rating from Vendor (https://github.com/sveltejs/svelte).

CVSS VectorVendor: https://github.com/sveltejs/svelte

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
Jun 09, 2026 - 17:22 NVD
5.9 (MEDIUM)
Source Code Evidence Fetched
May 14, 2026 - 22:15 vuln.today
Analysis Generated
May 14, 2026 - 22:15 vuln.today
CVE Published
May 14, 2026 - 20:29 nvd
MEDIUM

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on svelte (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 5.51.5.

DescriptionCVE.org

An internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. You are only vulnerable to this if you allow tags of unconstrained length. If your application only allows a predetermined list of tags or trims their length before passing them to svelte:element, you are safe.

AnalysisAI

Regular expression denial of service (ReDoS) in Svelte 5.51.5 through 5.55.6 allows attackers to cause application hang or crash by passing unconstrained-length tag names to the <svelte:element> component, triggering exponential regex evaluation time in the runtime tag validation logic. The vulnerability requires applications to accept user-controlled tag input without length or content restrictions.

Technical ContextAI

The vulnerability exists in an internal regex pattern used by the Svelte runtime to validate HTML element tags within the <svelte:element this={tag}> dynamic component syntax. Svelte uses this mechanism to dynamically render HTML elements specified via the this prop. The regex pattern exhibits catastrophic backtracking behavior (CWE-1333: Inefficient Regular Expression Complexity) when tested against specially crafted input strings of exponential length. The affected versions (5.51.5 through 5.55.6) contain the vulnerable regex implementation; the issue was fixed in version 5.55.7 with a regex hardening patch (commit d2375e2e).

RemediationAI

Upgrade Svelte to version 5.55.7 or later, which includes the regex hardening patch (commit d2375e2ebcab5c88feb5652f1a9d621b8f06b259). If immediate upgrade is not feasible, implement compensating controls: validate and whitelist allowed HTML element names before passing them to <svelte:element this={tag}>, enforce maximum tag name length (standard HTML5 tag names are under 20 characters), or disable the <svelte:element> component in user-controlled code paths. Whitelist-based validation is the most robust mitigation and recommended regardless of patch status. See https://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7 for the patch details and https://github.com/sveltejs/svelte/security/advisories/GHSA-9rmh-mm8f-r9h6 for the full advisory.

Vendor StatusVendor

Share

CVE-2026-42567 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy