Svelte Reflected Cross-Site Scripting Vulnerability in Versions 5.46.0 Prior to 5.46.3

A reflected cross-site scripting vulnerability has been identified in Svelte versions 5.46.0 prior to 5.46.3. This issue arises during asynchronous hydration when keys controlled by an attacker are passed to the hydratable function. The untrusted key is inserted into a script block in the server-rendered HTML without proper escaping, allowing the script tag to be prematurely closed and arbitrary JavaScript to be injected. This injection could be executed in the context of the user's browser, potentially leading to session theft and account compromise.

Impact

Exploitation of this vulnerability allows for arbitrary JavaScript execution in the user's browser, with possible consequences including session or token theft, DOM manipulation, bypassing Cross-Site Request Forgery protections through injected JavaScript, and account takeover, depending on the application's cookie and session management.

Remediation

Users are advised to upgrade to Svelte version 5.46.4, which addresses this vulnerability.