CVE-2026-42567 Overview
CVE-2026-42567 is a Regular Expression Denial of Service (ReDoS) vulnerability in the Svelte web framework. The flaw affects an internal regex used by the Svelte runtime when evaluating <svelte:element this={tag}></svelte:element> expressions. Versions from 5.51.5 up to but not including 5.55.7 exhibit exponential matching time on crafted input strings. The vulnerability is classified under CWE-1333 (Inefficient Regular Expression Complexity). Maintainers patched the issue in Svelte 5.55.7.
Critical Impact
Attackers supplying crafted tag values to a vulnerable <svelte:element> component can trigger exponential regex evaluation, exhausting CPU resources and degrading or halting application availability.
Affected Products
- Svelte framework versions 5.51.5 through 5.55.6
- Web applications using <svelte:element this={tag}> with untrusted tag input
- Server-side rendered Svelte applications processing user-controlled element names
Discovery Timeline
- 2026-06-09 - CVE-2026-42567 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-42567
Vulnerability Analysis
Svelte is a compiler-based JavaScript framework that generates highly optimized runtime code. The <svelte:element> directive enables dynamic element tag rendering at runtime based on the this expression value. To validate the supplied tag name, the runtime applies an internal regular expression.
The regex contains a pattern susceptible to catastrophic backtracking. When supplied with specific adversarial inputs, the regex engine explores an exponential number of paths. Evaluation time grows non-linearly with input length, causing the JavaScript event loop to stall.
Applications that pass user-controlled values into <svelte:element this={tag}> are exposed. Server-side rendering pipelines amplify the impact because regex evaluation runs on shared Node.js processes serving multiple clients.
Root Cause
The root cause is an internal validation regex with ambiguous quantifiers, classified as [CWE-1333] Inefficient Regular Expression Complexity. The pattern allows multiple ways to match overlapping substrings, forcing the engine into exponential backtracking when matches fail.
Attack Vector
An attacker submits a crafted string as the dynamic tag value to a Svelte component that renders <svelte:element this={tag}>. The malicious input commonly consists of repeated characters followed by a mismatching suffix. The regex backtracks through every permutation before failing, consuming CPU cycles and blocking concurrent requests. Exploitation requires the attacker to influence the tag binding through URL parameters, form fields, API payloads, or stored data rendered by the component.
No verified public proof-of-concept code is currently available. Refer to the GitHub Security Advisory GHSA-9rmh-mm8f-r9h6 for maintainer-provided technical details.
Detection Methods for CVE-2026-42567
Indicators of Compromise
- Sustained single-core CPU saturation on Node.js processes serving Svelte SSR responses
- HTTP request latency spikes correlated with requests containing long, repetitive query or body parameter values
- Event loop lag warnings or worker timeouts in application logs during ordinary traffic levels
- package-lock.json or pnpm-lock.yaml entries pinning Svelte between 5.51.5 and 5.55.6
Detection Strategies
- Inventory all front-end and SSR projects and extract resolved Svelte versions from lockfiles using npm ls svelte or equivalent.
- Grep source repositories for <svelte:element usage and audit each occurrence where the this expression originates from external input.
- Add application performance monitoring (APM) alerts on per-request CPU time and event loop blocking beyond a defined threshold.
Monitoring Recommendations
- Track HTTP 5xx error rates and request-duration percentiles for routes rendering dynamic Svelte components.
- Forward Node.js process metrics and web server access logs to a centralized analytics platform to correlate slow requests with payload characteristics.
- Establish baselines for normal request latency so that ReDoS-induced spikes surface quickly.
How to Mitigate CVE-2026-42567
Immediate Actions Required
- Upgrade Svelte to version 5.55.7 or later across all affected projects.
- Rebuild and redeploy any production artifacts compiled against vulnerable Svelte versions.
- Audit components for <svelte:element this={tag}> patterns and restrict tag to an allowlist of known-safe HTML element names.
- Add input length limits and server-side validation to any user-controlled values that flow into element name bindings.
Patch Information
The maintainers fixed the vulnerable regex in Svelte 5.55.7. See the GitHub Svelte Release 5.55.7 for the full release notes and the GitHub Security Advisory GHSA-9rmh-mm8f-r9h6 for advisory details.
Workarounds
- Validate the tag value against a strict allowlist (for example, ['div','span','section','article']) before binding it to <svelte:element>.
- Reject or truncate tag inputs longer than a small fixed length such as 32 characters at the request boundary.
- Place a Web Application Firewall (WAF) rule in front of vulnerable endpoints to block oversized or repetitive payloads targeting the affected parameters.
# Configuration example: upgrade Svelte to the patched release
npm install svelte@5.55.7
# Verify resolved version
npm ls svelte
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

