Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/sveltejs/svelte).
CVSS VectorVendor: https://github.com/sveltejs/svelte
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 4 npm packages depend on svelte (4 direct, 0 indirect)
Ecosystem-wide dependent count for version 5.55.7.
DescriptionCVE.org
Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks.
You are vulnerable if all of the following is true:
- you are using attribute spreading on a form element
- you are using attribute spreading or allow a dynamic value for the
nameattribute on an input or button element within that form - both of these are simultaneously user-controllable
<form {...spread1}>
<input {...spread2}>
</form>AnalysisAI
Cross-site scripting (XSS) via DOM clobbering in Svelte versions 5.55.6 and earlier allows attackers to inject malicious code when attribute spreading is used simultaneously on both form elements and their child input/button elements with user-controllable name attributes. The vulnerability requires specific markup patterns where both the form and nested input/button use spread syntax with attacker-controlled values, enabling manipulation of Svelte's internal framework state. Vendor-released patch: version 5.55.7.
Technical ContextAI
Svelte is a JavaScript framework that compiles components at build time rather than running a virtual DOM at runtime. The vulnerability stems from DOM clobbering, where attacker-controlled attribute names or values on HTML form elements can override or shadow Svelte's internal properties used to track framework state. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates insufficient sanitization of user-supplied values when constructing DOM attributes. The attack exploits the combination of spread operators ({...spread}) in Svelte templates with user-controllable inputs, allowing an attacker to inject attributes that conflict with Svelte's internal state management, particularly on hydratable forms (server-side rendered and hydrated on the client). The fix involves hardening attribute name validation during server-side rendering, moving Svelte runtime properties to symbols to prevent property shadowing, and enhancing regex patterns to block malicious constructs.
RemediationAI
Upgrade Svelte to version 5.55.7 or later immediately. This is the primary fix and addresses the DOM clobbering vulnerability through multiple hardening measures: preventing XSS on the hydratable feature from user contents, disallowing empty attribute names during server-side rendering, hardening regex patterns, and moving Svelte runtime properties to symbols to prevent property shadowing. For applications unable to upgrade immediately, apply input validation to reject or sanitize user-supplied values used in attribute spreading contexts-specifically, disallow or escape any user input that flows into the name attribute of input or button elements within forms that also use attribute spreading. Additionally, review component templates to minimize use of attribute spreading ({...spread}) on form elements; where possible, use explicit attribute binding instead. These mitigations carry the trade-off of reduced templating flexibility but eliminate the attack vector. Consult the GitHub advisory at https://github.com/sveltejs/svelte/security/advisories/GHSA-rcqx-6q8c-2c42 for additional context.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35701
GHSA-rcqx-6q8c-2c42