Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/sveltejs/svelte).
CVSS VectorVendor: https://github.com/sveltejs/svelte
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 1 npm packages depend on svelte (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 5.51.5.
DescriptionCVE.org
An internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. You are only vulnerable to this if you allow tags of unconstrained length. If your application only allows a predetermined list of tags or trims their length before passing them to svelte:element, you are safe.
AnalysisAI
Regular expression denial of service (ReDoS) in Svelte 5.51.5 through 5.55.6 allows attackers to cause application hang or crash by passing unconstrained-length tag names to the <svelte:element> component, triggering exponential regex evaluation time in the runtime tag validation logic. The vulnerability requires applications to accept user-controlled tag input without length or content restrictions.
Technical ContextAI
The vulnerability exists in an internal regex pattern used by the Svelte runtime to validate HTML element tags within the <svelte:element this={tag}> dynamic component syntax. Svelte uses this mechanism to dynamically render HTML elements specified via the this prop. The regex pattern exhibits catastrophic backtracking behavior (CWE-1333: Inefficient Regular Expression Complexity) when tested against specially crafted input strings of exponential length. The affected versions (5.51.5 through 5.55.6) contain the vulnerable regex implementation; the issue was fixed in version 5.55.7 with a regex hardening patch (commit d2375e2e).
RemediationAI
Upgrade Svelte to version 5.55.7 or later, which includes the regex hardening patch (commit d2375e2ebcab5c88feb5652f1a9d621b8f06b259). If immediate upgrade is not feasible, implement compensating controls: validate and whitelist allowed HTML element names before passing them to <svelte:element this={tag}>, enforce maximum tag name length (standard HTML5 tag names are under 20 characters), or disable the <svelte:element> component in user-controlled code paths. Whitelist-based validation is the most robust mitigation and recommended regardless of patch status. See https://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7 for the patch details and https://github.com/sveltejs/svelte/security/advisories/GHSA-9rmh-mm8f-r9h6 for the full advisory.
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35702
GHSA-9rmh-mm8f-r9h6