GHSA-9rmh-mm8f-r9h6Medium

Svelte: ReDoS in `<svelte:element>` Tag Validation

Published
May 14, 2026
Last Modified
June 9, 2026

🔗 CVE IDs covered (1)

📋 Description

An internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. You are only vulnerable to this if you allow tags of unconstrained length. If your application only allows a predetermined list of tags or trims their length before passing them to svelte:element, you are safe.

🎯 Affected products1

  • npm/svelte:>= 5.51.5, <= 5.55.6

🔗 References (4)