Login Sign Up

CVE-2026-27125

6.8 MEDIUM

📋 TL;DR

This vulnerability in Svelte's server-side rendering allows attribute spreading on elements to enumerate inherited properties from an object's prototype chain when Object.prototype pollution exists. This can cause unexpected attributes in SSR output or cause SSR errors, potentially leading to server-side issues or information disclosure. Only applications using Svelte for server-side rendering with polluted Object.prototype environments are affected.

💻 Affected Systems

Products:
  • Svelte
Versions: All versions prior to 5.51.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects server-side rendering (SSR). Client-side rendering is not vulnerable. Requires Object.prototype pollution as a precondition.

📦 What is this software?

Svelte by Svelte

View all CVEs affecting Svelte →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Server-side rendering fails completely, causing application downtime, or sensitive information leaks through unexpected attributes in rendered HTML.

🟠

Likely Case

Minor rendering anomalies or errors in SSR output when Object.prototype pollution exists in the environment.

🟢

If Mitigated

No impact if Object.prototype is not polluted or if client-side rendering only is used.

🌐 Internet-Facing: MEDIUM - SSR vulnerabilities can affect web application availability and integrity, but require specific preconditions.
🏢 Internal Only: MEDIUM - Same technical impact but limited to internal users.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires Object.prototype pollution, which is typically achieved through other vulnerabilities or misconfigurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.51.5

Vendor Advisory: https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp

Restart Required: Yes

Instructions:

1. Update Svelte package to version 5.51.5 or later. 2. Run npm update svelte or yarn upgrade svelte. 3. Restart your application server. 4. Verify the update with npm list svelte or yarn list svelte.

🔧 Temporary Workarounds

Disable SSR

all

Use client-side rendering only to avoid the vulnerability

Object.prototype Sanitization

all

Ensure Object.prototype is not polluted in your environment

🧯 If You Can't Patch

  • Implement strict input validation to prevent Object.prototype pollution
  • Monitor SSR output for unexpected attributes and implement error handling

🔍 How to Verify

Check if Vulnerable:

Check if using Svelte version <5.51.5 and if using server-side rendering with attribute spreading

Check Version:

npm list svelte | grep svelte or check package.json

Verify Fix Applied:

Confirm Svelte version is 5.51.5 or later and test SSR with attribute spreading

📡 Detection & Monitoring

Log Indicators:

  • SSR errors related to attribute enumeration
  • Unexpected HTML attributes in server logs

Network Indicators:

  • HTML responses containing unexpected attributes from SSR

SIEM Query:

Search for application errors containing 'Svelte', 'SSR', or 'attribute spreading' in error messages

📊 Metadata

CVE ID: CVE-2026-27125
CVSS v3 Score: 6.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-915
Published: February 20, 2026
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27125, you might also want to check these:

CVE-2024-5452 9.8

This vulnerability allows remote attackers to execute arbitrary code on self-hosted PyTorch Lightnin...

Same vulnerability type (CWE-915)
CVE-2024-55636 9.8

This CVE describes a gadget chain vulnerability in Drupal Core that enables object injection when un...

Same vulnerability type (CWE-915)
CVE-2024-55638 9.8

This CVE describes a gadget chain in Drupal Core that enables object injection when untrusted data i...

Same vulnerability type (CWE-915)