CVE-2026-27125 Overview
CVE-2026-27125 is an Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability in Svelte, a performance-oriented web framework. Prior to version 5.51.5, Svelte's server-side rendering (SSR) implementation improperly handles attribute spreading on elements (e.g., <div {...attrs}>), enumerating inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted—a precondition outside of Svelte's control—this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors.
Critical Impact
When combined with prototype pollution, attackers may inject unexpected HTML attributes into SSR output, potentially enabling cross-site scripting (XSS) or disrupting application rendering. Client-side rendering is not affected.
Affected Products
- Svelte versions prior to 5.51.5 (Node.js)
- Applications using Svelte SSR with attribute spreading syntax
- Server-side rendered applications in environments with polluted Object.prototype
Discovery Timeline
- 2026-02-20 - CVE CVE-2026-27125 published to NVD
- 2026-02-23 - Last updated in NVD database
Technical Details for CVE-2026-27125
Vulnerability Analysis
This vulnerability stems from how Svelte's SSR compiler handles attribute spreading on HTML elements. When developers use the spread syntax (e.g., <div {...attrs}>), Svelte enumerates all properties of the object, including those inherited from the prototype chain. In a clean JavaScript environment, this behavior is benign since Object.prototype contains no enumerable properties by default.
However, if an attacker or a vulnerable dependency has polluted Object.prototype with malicious properties, those properties will be rendered as HTML attributes during SSR. This creates a second-order vulnerability where prototype pollution—typically considered a precondition vulnerability—can escalate to attribute injection in SSR output.
The attack requires network access and assumes that prototype pollution has already occurred in the server environment, making exploitation dependent on chaining with another vulnerability.
Root Cause
The root cause lies in the SSR attribute spreading implementation not filtering for own properties. When iterating over an object's properties during attribute rendering, the code enumerated all properties including inherited ones. The fix introduces proper validation using REGEX_VALID_TAG_NAME and adds explicit error handling for invalid dynamic element tags, preventing malicious attributes from prototype pollution from being rendered.
Attack Vector
The attack requires an attacker to first achieve prototype pollution in the Node.js server environment through a separate vulnerability. Once Object.prototype is polluted with enumerable properties, any Svelte component using attribute spreading will include those properties in the rendered HTML output. This network-accessible attack path could enable:
- Injection of arbitrary HTML attributes into SSR output
- Potential XSS if event handler attributes (e.g., onclick) are injected
- SSR crashes due to invalid attribute values causing rendering errors
// Security patch in packages/svelte/src/compiler/phases/1-parse/state/element.js
/** @import { Location } from 'locate-character' */
/** @import { AST } from '#compiler' */
/** @import { Parser } from '../index.js' */
-import { is_void } from '../../../../utils.js';
+import { is_void, REGEX_VALID_TAG_NAME } from '../../../../utils.js';
import read_expression from '../read/expression.js';
import { read_script } from '../read/script.js';
import read_style from '../read/style.js';
Source: GitHub Commit
// Security patch in packages/svelte/src/internal/server/errors.js - Added validation
throw error;
}
+/**
+ * `<svelte:element this="%tag%">` is not a valid element name — the element will not be rendered
+ * @param {string} tag
+ * @returns {never}
+ */
+export function dynamic_element_invalid_tag(tag) {
+ const error = new Error(`dynamic_element_invalid_tag\n\`<svelte:element this="${tag}">\` is not a valid element name — the element will not be rendered\nhttps://svelte.dev/e/dynamic_element_invalid_tag`);
+
+ error.name = 'Svelte error';
+
+ throw error;
+}
+
/**
* Encountered asynchronous work while rendering synchronously.
* @returns {never}
Source: GitHub Commit
Detection Methods for CVE-2026-27125
Indicators of Compromise
- Unexpected HTML attributes appearing in server-rendered pages that are not defined in component code
- SSR rendering errors with messages about invalid attribute names or values
- Prototype pollution indicators such as unexpected properties on native JavaScript objects
- Application logs showing dynamic_element_invalid_tag errors after patching
Detection Strategies
- Audit Svelte application dependencies for prototype pollution vulnerabilities using npm audit or similar tools
- Review SSR output for anomalous HTML attributes not defined in source templates
- Implement runtime monitoring for Object.prototype modifications in the Node.js server environment
- Use static analysis tools to identify components using attribute spreading syntax
Monitoring Recommendations
- Enable detailed SSR error logging to capture rendering anomalies
- Monitor for unusual patterns in rendered HTML output using output validation
- Implement Content Security Policy (CSP) headers to mitigate potential XSS from attribute injection
- Set up alerts for prototype pollution detection libraries in the server runtime
How to Mitigate CVE-2026-27125
Immediate Actions Required
- Upgrade Svelte to version 5.51.5 or later immediately
- Audit the application environment for existing prototype pollution vulnerabilities
- Review dependencies for known prototype pollution issues and update accordingly
- Consider implementing Object.freeze on Object.prototype in server environments if feasible
Patch Information
The vulnerability is fixed in Svelte version 5.51.5. The patch introduces proper tag name validation using REGEX_VALID_TAG_NAME and adds explicit error handling for invalid dynamic element tags. The fix ensures that only valid, explicitly defined properties are rendered as HTML attributes during SSR.
Workarounds
- Avoid using attribute spreading syntax ({...attrs}) in SSR-rendered components until patched
- Explicitly enumerate required attributes instead of spreading entire objects
- Implement server-side input validation to sanitize objects before attribute spreading
- Use Object.keys() or Object.getOwnPropertyNames() patterns when manually handling object properties
# Upgrade Svelte to the patched version
npm update svelte@5.51.5
# Or specify the exact version in package.json
npm install svelte@5.51.5 --save
# Verify the installed version
npm list svelte
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
