Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2025-15265

created 3 months ago

Svelte 5.46.0 - Hydratable Key Script-Breakout XSS (SSR)

An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3.

References

https://fluidattacks.com/advisories/lydian third-party-advisorypatch
https://github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3 vendor-advisory

Affected products

svelte

<5.46.3

Matching in nixpkgs

pkgs.svelte-check

Svelte code checker

nixos-25.11 4.3.1
- nixpkgs-25.11-darwin 4.3.1

pkgs.svelte-language-server

Language server (implementing the language server protocol) for Svelte

nixos-unstable 0.17.17
- nixpkgs-unstable 0.17.17
- nixos-unstable-small 0.17.17
nixos-25.11 0.17.21
- nixpkgs-25.11-darwin 0.17.21

pkgs.vscode-extensions.svelte.svelte-vscode

Svelte language support for VS Code

nixos-unstable 109.10.0
- nixpkgs-unstable 109.10.0
- nixos-unstable-small 109.10.0
nixos-25.11 109.12.0
- nixpkgs-25.11-darwin 109.12.0

pkgs.tree-sitter-grammars.tree-sitter-svelte

None

nixos-unstable 0.25.6
- nixpkgs-unstable 0.25.6
- nixos-unstable-small 0.25.6
nixos-25.11 0.25.10
- nixpkgs-25.11-darwin 0.25.10

pkgs.vimPlugins.nvim-treesitter-parsers.svelte

None

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small
nixos-25.11 -
- nixpkgs-25.11-darwin

pkgs.python312Packages.tree-sitter-grammars.tree-sitter-svelte

Python bindings for tree-sitter-svelte

nixos-unstable 0.25.6
- nixpkgs-unstable 0.25.6
- nixos-unstable-small 0.25.6
nixos-25.11 0.25.10
- nixpkgs-25.11-darwin 0.25.10

pkgs.python313Packages.tree-sitter-grammars.tree-sitter-svelte

Python bindings for tree-sitter-svelte

nixos-unstable 0.25.6
- nixpkgs-unstable 0.25.6
- nixos-unstable-small 0.25.6
nixos-25.11 0.25.10
- nixpkgs-25.11-darwin 0.25.10

Package maintainers

@A-jay98 Ali Jamadi <ali@jamadi.me>
@adfaure Adrien Faure <adfaure@pm.me>
@mightyiam Shahar "Dawn" Or <mightyiampresence@gmail.com>
@stepbrobd Yifei Sun <ysun@hey.com>
@fabianhauser Fabian Hauser <fabian.nixos@fh2.ch>
@pyrox0 Pyrox <pyrox@pyrox.dev>