Nixpkgs security tracker
Untriaged
Svelte affected by cross-site scripting via spread attributes in Svelte SSR
svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. This vulnerability is fixed in 5.51.5.
References
-
https://github.com/sveltejs/svelte/security/advisories/GHSA-f7gr-6p89-r883 x_refsource_CONFIRM
Affected products
svelte
- ==< 5.51.5
Matching in nixpkgs
pkgs.svelte-check
Svelte code checker
pkgs.svelte-language-server
Language server (implementing the language server protocol) for Svelte
pkgs.vscode-extensions.svelte.svelte-vscode
Svelte language support for VS Code
pkgs.tree-sitter-grammars.tree-sitter-svelte
None
-
nixos-unstable 0.0.0+rev=ae5199d
- nixpkgs-unstable 0.0.0+rev=ae5199d
- nixos-unstable-small 0.0.0+rev=ae5199d
pkgs.python312Packages.tree-sitter-grammars.tree-sitter-svelte
Python bindings for tree-sitter-svelte
pkgs.python313Packages.tree-sitter-grammars.tree-sitter-svelte
Python bindings for tree-sitter-svelte
pkgs.python314Packages.tree-sitter-grammars.tree-sitter-svelte
Python bindings for tree-sitter-svelte
Package maintainers
-
@A-jay98 Ali Jamadi <ali@jamadi.me>
-
@adfaure Adrien Faure <adfaure@pm.me>
-
@mightyiam Shahar "Dawn" Or <mightyiampresence@gmail.com>
-
@stepbrobd Yifei Sun <ysun@hey.com>
-
@fabianhauser Fabian Hauser <fabian.nixos@fh2.ch>
-
@pyrox0 Pyrox <pyrox@pyrox.dev>