Moderate severityOSV Advisory· Published Jan 15, 2026· Updated Jan 15, 2026
Svelte 5.46.0 - Hydratable Key Script-Breakout XSS (SSR)
CVE-2025-15265
Description
An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sveltenpm | >= 5.46.0, < 5.46.4 | 5.46.4 |
Affected products
2Patches
Vulnerability mechanics
References
6- fluidattacks.com/advisories/lydianghsathird-party-advisorypatchWEB
- github.com/advisories/GHSA-6738-r8g5-qwp3ghsaADVISORY
- github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-15265ghsaADVISORY
- github.com/sveltejs/svelte/commit/ef81048e238844b729942441541d6dcfe6c8cccaghsaWEB
- github.com/sveltejs/svelte/releases/tag/svelte%405.46.4ghsaWEB
News mentions
0No linked articles in our index yet.