CVE-2025-15265

State: PUBLISHED · Published: 2026-01-15 · Updated: 2026-01-15 · Assigner: Fluid Attacks

Description

An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3.

CWE

CWE-79 — CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Affected

Svelte / Svelte — v=5.46.0 <5.46.3 [affected]

CVSS

4.0 score=5.3 severity=MEDIUM CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

https://fluidattacks.com/advisories/lydian third-party-advisory
https://github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3 vendor-advisory
https://fluidattacks.com/advisories/lydian patch

Source

cvelistV5-main/cves/2025/15xxx/CVE-2025-15265.json