GHSA-GW32-9RMW-QWWW

Svelte SSR XSS: The Textarea Trap

Alon Barad
Alon Barad
Software Engineer

Jan 17, 2026·5 min read·3 visits

Executive Summary (TL;DR)

Svelte's SSR compiler forgot that `<textarea>` contents are children, not attributes. It didn't escape `bind:value` content during server-side rendering. Attackers can inject `</textarea>` to close the tag early and run scripts. Fixed in 3.59.2.

A high-severity Cross-Site Scripting (XSS) vulnerability exists in Svelte's Server-Side Rendering (SSR) compiler. Due to improper escaping of `bind:value` directives on `<textarea>` elements, attackers can break out of the HTML tag context and execute arbitrary JavaScript.

Official Patches

SvelteCommit fixing the escaping issue in Element handler

Fix Analysis (1)

Technical Appendix

CVSS Score
8.4/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:H/SA:N

Affected Systems

Svelte Framework (SSR Mode)SvelteKit applications using Svelte < 3.59.2

Affected Versions Detail

Product
Affected Versions
Fixed Version
svelte
sveltejs
>= 3.0.0 < 3.59.23.59.2
AttributeDetail
CWE IDCWE-79
CVSS Score8.4 (High)
VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:H/SA:N
Attack VectorNetwork
Vulnerability TypeXSS (Cross-Site Scripting)
Affected ComponentSSR Compiler (Textarea Handler)

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059.007Command and Scripting Interpreter: JavaScript
Execution
CWE-79
Cross-site Scripting

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Known Exploits & Detection

GitHub AdvisoryStandard HTML breakout via </textarea>

Vulnerability Timeline

Fix committed to Svelte repository
2023-06-20
Advisory formally published
2026-01-16