CVE-2025-15265
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: Fluid Attacks
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| svelte | svelte | From 5.46.0 (inc) to 5.46.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15265 is a reflected cross-site scripting (XSS) vulnerability in the Svelte JavaScript framework versions 5.46.0 through 5.46.3. It occurs during server-side rendering (SSR) asynchronous hydration when attacker-controlled keys are passed to the hydratable function. These keys are embedded inside a <script> block in the server-rendered HTML without proper HTML-safe escaping, allowing an attacker to inject arbitrary JavaScript by breaking out of the script context. This enables remote code execution in users' browsers. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to remote script execution in users' browsers, which may result in session or token theft, DOM manipulation, cross-site request forgery (CSRF) bypass, and account takeover depending on session management. Exploitation requires no privileges or user interaction and can be performed remotely with a single request. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on identifying usage of vulnerable Svelte versions (5.46.0 to 5.46.3) and the presence of the experimental.async flag with hydratable keys derived from user input. Since exploitation involves attacker-controlled keys embedded unsafely in <script> blocks, monitoring HTTP responses for script tags containing suspicious or unescaped user input patterns like '</script>' can help. Commands to check installed Svelte version include: `npm list svelte` or `yarn list svelte`. For network detection, inspecting HTTP responses for injected script tags or unusual payloads using tools like `curl` or `wget` combined with `grep` can be useful, e.g., `curl -s http://yourapp | grep '</script>'`. Additionally, scanning source code for usage of `hydratable` with dynamic keys may help identify vulnerable code paths. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Svelte to version 5.46.4 or later, where the vulnerability is patched by properly escaping hydratable keys to prevent script injection. Additionally, avoid using attacker-controlled input as hydratable keys, especially when the experimental.async flag is enabled. If upgrading immediately is not possible, consider disabling the experimental.async feature or sanitizing keys before passing them to the hydratable function to reduce risk. [1, 2]