Description
svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.
Published: 2026-02-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unintended attributes or errors in server‑side rendered output
Action: Apply Patch
AI Analysis

Impact

Svelte’s server‑side rendering logic was previously designed to spread custom attributes onto elements using the syntax <div {...attrs}>. The implementation enumerated all enumerable properties of the provided object, including those inherited from the prototype chain. This unintended inclusion of inherited properties is a manifestation of CWE‑915. If the global Object.prototype had been modified—an event Svelte does not control—the spread operation could inject additional, unintended attributes into the rendered HTML or cause the renderer to throw exceptions. This flaw does not affect client‑side rendering and is limited to environments where SSR is performed.

Affected Systems

The vulnerability applies to any deployment of Svelte version 5.51.4 or earlier that performs server‑side rendering. Users must verify the Svelte version by inspecting package.json or running npm list svelte. The affected runtime is Node.js environments that include Svelte SSR.

Risk and Exploitability

The flaw carries a CVSS score of 5.3, placing it in the moderate range. The EPSS score is below 1 %, indicating a low likelihood of exploitation at the time of analysis. The issue is not listed in CISA’s KEV catalog. Exploitation would require an attacker to supply a polluted Object.prototype or supply a user‑controlled object that has unexpected inherited properties. Because Svelte’s implementation does not filter or validate the source of attributes, an attacker could cause the SSR pipeline to emit extraneous attributes that may leak data or trigger runtime failures, but the impact remains confined to the generated markup and does not allow execution of arbitrary code.

Generated by OpenCVE AI on April 18, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Svelte to version 5.51.5 or later to apply the fix that restricts attribute spreading to own properties only.
  • Inspect your Node.js environment for prototype pollution by reviewing dependencies that modify Object.prototype, and upgrade or patch those libraries as needed.
  • Until a newer Svelte release is available, avoid using the spread syntax in SSR templates or sanitize the attribute object to include only own properties before spreading.

Generated by OpenCVE AI on April 18, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-crpf-4hrx-3jrp Svelte SSR attribute spreading includes inherited properties from prototype chain
History

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Svelte
Svelte svelte
Vendors & Products Svelte
Svelte svelte

Sat, 21 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

threat_severity

Moderate

Fri, 20 Feb 2026 22:45:00 +0000

Type Values Removed Values Added
Description svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.
Title Svelte SSR attribute spreading includes inherited properties from prototype chain
Weaknesses CWE-915
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Svelte Svelte
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T21:33:14.822Z

Reserved: 2026-02-17T18:42:27.043Z

Link: CVE-2026-27125

cve-icon Vulnrichment

Updated: 2026-02-25T21:33:10.378Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T23:16:02.780

Modified: 2026-02-23T20:52:23.960

Link: CVE-2026-27125

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-20T22:29:45Z

Links: CVE-2026-27125 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:30:44Z

Weaknesses