CVE-2025-15265

Description

## Summary An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of `hydratable` keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML. ## Details When using the [`hydratable`](https://svelte.dev/docs/svelte/hydratable) function, the first argument is used as a key to uniquely identify the data, such that the value is not regenerated in the browser. This key is embedded into a `<script>` block in the server-rendered `<head>` without escaping unsafe characters. A malicious key can break out of the script context and inject arbitrary JavaScript into the HTML response. ## Impact This is a cross-site scripting vulnerability affecting applications that have the `experimental.async` flag enabled and use `hydratable` with keys incorporating untrusted user input. - **Impact**: Arbitrary JS execution in the client’s browser. - **Exploitability**: Remote, single-request if key is attacker-controlled. - **Typical Outcomes**: - Session/token theft - DOM defacement - CSRF bypass via injected JS - Account takeover depending on cookie/session strategy Affected applications should upgrade to a patched version immediately.

How to fix CVE-2025-15265

To remediate CVE-2025-15265, upgrade the affected package to a fixed version below.

• —upgrade to 5.46.4 or later

Is CVE-2025-15265 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 5.46.0, < 5.46.4

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-15265
• PATCHgithub.com/sveltejs/svelte
• WEBfluidattacks.com/advisories/lydian
• WEBgithub.com/sveltejs/svelte/commit/ef81048e238844b729942441541d6dcfe6c8ccca
• WEB