Svelte Server-Side Rendering Attribute Spreading Vulnerability

A vulnerability in Svelte's server-side rendering (SSR) feature allows attribute spreading on elements to include inherited properties from the object's prototype chain, rather than just its own properties. This issue arises in environments where Object.prototype has been modified, leading to unexpected attributes in the SSR output or causing errors. Client-side rendering is not impacted.

Impact

Exploitation of this vulnerability can result in the incorrect rendering of attributes during server-side processing, potentially allowing for markup injection or other unintended consequences.

Reproduction

To reproduce this vulnerability, use a version of Svelte prior to 5.51.5 and create a component that spreads attributes onto an element using the 'svelte:element' tag. In an environment where 'Object.prototype' has been polluted, this will cause inherited properties to be included, leading to unexpected attributes in the server-side rendered output or causing an error.

Remediation

Users can upgrade to Svelte version 5.51.5 or later, where this vulnerability has been fixed.