Description
Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. This issue has been patched in version 5.55.7.
Published: 2026-06-09
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerable regular expression in Svelte’s runtime can exhaust CPU time during tag name validation for the <svelte:element> component. This results in a denial‑of‑service condition by consuming excessive processor resources. The flaw is classified as a regular expression denial of service (CWE-1333) and provides no direct compromise of confidentiality or integrity, only availability degradation.

Affected Systems

Svelte framework version 5.51.5 through 5.55.6 for the sveltejs svelte product. The issue was resolved in version 5.55.7 and later.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate risk. EPSS information is not available, meaning the current probability of exploitation is unknown. The vulnerability is not listed in CISA KEV. The likely attack vector is via user‑controlled tag names supplied to <svelte:element>; an attacker could trigger the expensive regular expression to cause high CPU usage, potentially affecting availability of the application.

Generated by OpenCVE AI on June 9, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Svelte to version 5.55.7 or later where the regular expression is fixed.
  • If an upgrade cannot be performed immediately, validate or sanitize the tag name passed to <svelte:element> against a whitelist of allowed tags before rendering to avoid triggering the expensive regex path.
  • Restart the application after implementing changes and monitor logs for abnormal CPU usage.

Generated by OpenCVE AI on June 9, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9rmh-mm8f-r9h6 Svelte: ReDoS in `<svelte:element>` Tag Validation
History

Tue, 09 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Svelte
Svelte svelte
Vendors & Products Svelte
Svelte svelte

Tue, 09 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. This issue has been patched in version 5.55.7.
Title Svelte: ReDoS in `<svelte:element>` Tag Validation
Weaknesses CWE-1333
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Svelte Svelte
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T18:09:26.356Z

Reserved: 2026-04-28T17:26:12.084Z

Link: CVE-2026-42567

cve-icon Vulnrichment

Updated: 2026-06-09T18:09:12.952Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:07.100

Modified: 2026-06-09T19:32:29.743

Link: CVE-2026-42567

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:00:17Z

Weaknesses