Vulnerability Description
The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Svelte | Svelte | < 3.49.0 |
Related Weaknesses (CWE)
References
- https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e1638999ExploitPatchThird Party Advisory
- https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990Broken Link
- https://snyk.io/vuln/SNYK-JS-SVELTE-2931080ExploitPatchThird Party Advisory
- https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e1638999ExploitPatchThird Party Advisory
- https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990Broken Link
- https://snyk.io/vuln/SNYK-JS-SVELTE-2931080ExploitPatchThird Party Advisory
FAQ
What is CVE-2022-25875?
CVE-2022-25875 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Renderi...
How severe is CVE-2022-25875?
CVE-2022-25875 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-25875?
Check the references section above for vendor advisories and patch information. Affected products include: Svelte Svelte.