CVE-2025-15265

Svelte 5 SSR XSS: Poisoning the Hydration Well

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 16, 2026·6 min read·9 visits

Executive Summary (TL;DR)

Svelte 5.46.0-5.46.2 used `JSON.stringify` to serialize hydration keys in SSR responses. Because `JSON.stringify` does not escape the `</script>` sequence, an attacker can supply a malicious key that terminates the legitimate script block and injects arbitrary JavaScript, leading to XSS.

A critical Cross-Site Scripting (XSS) vulnerability in Svelte 5's Server-Side Rendering (SSR) engine allows attackers to break out of hydration scripts using crafted keys.

Official Patches

SvelteGitHub Commit fixing the issue

Fix Analysis (1)

Technical Appendix

CVSS Score
5.3/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Systems

Svelte 5.46.0Svelte 5.46.1Svelte 5.46.2

Affected Versions Detail

Product
Affected Versions
Fixed Version
Svelte
Svelte
>= 5.46.0 < 5.46.35.46.3
AttributeDetail
CWE IDCWE-79
Attack VectorNetwork
CVSS Base5.3 (Medium)
ImpactCross-Site Scripting (XSS)
Affected ComponentSSR Hydration Engine
Root CauseUnsafe serialization of user input in script tags

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059.007Command and Scripting Interpreter: JavaScript
Execution
CWE-79
Cross-site Scripting

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Known Exploits & Detection

Fluid AttacksOriginal advisory and proof of concept for Svelte 5 SSR XSS.

Vulnerability Timeline

Vulnerability fixed in version 5.46.3
2026-01-15
Advisory Published by Svelte Team
2026-01-15