CVE-2024-45047
Svelte has a potential mXSS vulnerability due to improper HTML escaping
Description
### Summary A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19. ### Details Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules: - If the string is an attribute value: - `"` -> `"` - `&` -> `&` - Other characters -> No conversion - Otherwise: - `<` -> `<` - `&` -> `&` - Other characters -> No conversion The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a `<noscript>` tag. ### PoC A vulnerable page (`+page.svelte`): ```html <script> import { page } from "$app/stores" // user input let href = $page.url.searchParams.get("href") ?? "https://example.com"; </script> <noscript> <a href={href}>test</a> </noscript> ``` If a user accesses the following URL, ``` http://localhost:4173/?href=</noscript><script>alert(123)</script> ``` then, `alert(123)` will be executed. ### Impact XSS, when using an attribute within a noscript tag
How to fix CVE-2024-45047
To remediate CVE-2024-45047, upgrade the affected package to a fixed version below.
- —upgrade to 4.2.19 or later
Is CVE-2024-45047 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 4.2.19