Svelte DOM Clobbering Vulnerability Leading to Cross-Site Scripting

A vulnerability in Svelte prior to version 5.55.7 allowed for DOM clobbering of the framework's internal state on elements. This issue could potentially lead to cross-site scripting (XSS) attacks. The vulnerability was present when attribute spreading was used on form elements, and when dynamic values were allowed for the 'name' attribute on input or button elements within the form, with both conditions being user-controllable.

Impact

Exploitation of this vulnerability could result in cross-site scripting (XSS) attacks, allowing an attacker to inject malicious scripts that could be executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, use Svelte version 5.55.6 or earlier and spread attributes on a form element. Ensure that the spread includes user-controllable values, particularly for the 'name' attribute on input or button elements within the form. This combination will trigger the DOM clobbering issue, affecting the internal framework state and creating a potential XSS risk.

Remediation

Users can upgrade to Svelte version 5.55.7 or later to address this vulnerability.