GHSA-rcqx-6q8c-2c42Medium
Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State
🔗 CVE IDs covered (1)
📋 Description
Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks.
You are vulnerable if all of the following is true:
- you are using attribute spreading on a form element
- you are using attribute spreading or allow a dynamic value for the
nameattribute on an input or button element within that form - both of these are simultaneously user-controllable
<form {...spread1}>
<input {...spread2}>
</form>
🎯 Affected products1
- npm/svelte:<= 5.55.6