CVE-2025-15265
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: Fluid Attacks

Description
An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15265
EUVD
EUVD-2026-2733
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
svelte svelte From 5.46.0 (inc) to 5.46.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15265 is a reflected cross-site scripting (XSS) vulnerability in the Svelte JavaScript framework versions 5.46.0 through 5.46.3. It occurs during server-side rendering (SSR) asynchronous hydration when attacker-controlled keys are passed to the hydratable function. These keys are embedded inside a <script> block in the server-rendered HTML without proper HTML-safe escaping, allowing an attacker to inject arbitrary JavaScript by breaking out of the script context. This enables remote code execution in users' browsers. [1, 2]

Impact Analysis

This vulnerability can lead to remote script execution in users' browsers, which may result in session or token theft, DOM manipulation, cross-site request forgery (CSRF) bypass, and account takeover depending on session management. Exploitation requires no privileges or user interaction and can be performed remotely with a single request. [1, 2]

Detection Guidance

Detection can focus on identifying usage of vulnerable Svelte versions (5.46.0 to 5.46.3) and the presence of the experimental.async flag with hydratable keys derived from user input. Since exploitation involves attacker-controlled keys embedded unsafely in <script> blocks, monitoring HTTP responses for script tags containing suspicious or unescaped user input patterns like '</script>' can help. Commands to check installed Svelte version include: `npm list svelte` or `yarn list svelte`. For network detection, inspecting HTTP responses for injected script tags or unusual payloads using tools like `curl` or `wget` combined with `grep` can be useful, e.g., `curl -s http://yourapp | grep '</script>'`. Additionally, scanning source code for usage of `hydratable` with dynamic keys may help identify vulnerable code paths. [1, 2]

Mitigation Strategies

The immediate mitigation step is to upgrade Svelte to version 5.46.4 or later, where the vulnerability is patched by properly escaping hydratable keys to prevent script injection. Additionally, avoid using attacker-controlled input as hydratable keys, especially when the experimental.async flag is enabled. If upgrading immediately is not possible, consider disabling the experimental.async feature or sanitizing keys before passing them to the hydratable function to reduce risk. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15265. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart