{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15265", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "state": "PUBLISHED", "assignerShortName": "Fluid Attacks", "dateReserved": "2025-12-29T15:31:42.980Z", "datePublished": "2026-01-15T19:59:41.683Z", "dateUpdated": "2026-01-15T20:28:16.479Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected", "packageName": "svelte", "platforms": ["Windows", "Linux", "MacOS"], "product": "Svelte", "vendor": "Svelte", "versions": [{"lessThan": "5.46.3", "status": "affected", "version": "5.46.0", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:svelte:svelte:*:*:windows:*:*:*:*:*", "versionEndExcluding": "5.46.3", "versionStartIncluding": "5.46.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:svelte:svelte:*:*:linux:*:*:*:*:*", "versionEndExcluding": "5.46.3", "versionStartIncluding": "5.46.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:svelte:svelte:*:*:macos:*:*:*:*:*", "versionEndExcluding": "5.46.3", "versionStartIncluding": "5.46.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Camilo Vera"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">An SSR XSS exists in async hydration when attacker\u2011controlled keys are passed to hydratable. The key is embedded inside a &lt;script&gt; block without HTML\u2011safe escaping, allowing &lt;/script&gt; to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise.</span><br><p>This issue affects Svelte: from 5.46.0 before 5.46.3.</p>"}], "value": "An SSR XSS exists in async hydration when attacker\u2011controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML\u2011safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise.\nThis issue affects Svelte: from 5.46.0 before 5.46.3."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2026-01-15T19:59:41.683Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://fluidattacks.com/advisories/lydian"}, {"tags": ["vendor-advisory"], "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3"}, {"tags": ["patch"], "url": "https://fluidattacks.com/advisories/lydian"}], "source": {"discovery": "UNKNOWN"}, "title": "Svelte 5.46.0 - Hydratable Key Script-Breakout XSS (SSR)", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-15T20:28:05.329081Z", "id": "CVE-2025-15265", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T20:28:16.479Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15265", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-15T20:28:05.329081Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T20:28:08.193Z"}}], "cna": {"title": "Svelte 5.46.0 - Hydratable Key Script-Breakout XSS (SSR)", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Camilo Vera"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Svelte", "product": "Svelte", "versions": [{"status": "affected", "version": "5.46.0", "lessThan": "5.46.3", "versionType": "custom"}], "platforms": ["Windows", "Linux", "MacOS"], "packageName": "svelte", "collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected"}], "references": [{"url": "https://fluidattacks.com/advisories/lydian", "tags": ["third-party-advisory"]}, {"url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3", "tags": ["vendor-advisory"]}, {"url": "https://fluidattacks.com/advisories/lydian", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An SSR XSS exists in async hydration when attacker\u2011controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML\u2011safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise.\nThis issue affects Svelte: from 5.46.0 before 5.46.3.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">An SSR XSS exists in async hydration when attacker\u2011controlled keys are passed to hydratable. The key is embedded inside a &lt;script&gt; block without HTML\u2011safe escaping, allowing &lt;/script&gt; to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise.</span><br><p>This issue affects Svelte: from 5.46.0 before 5.46.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:svelte:svelte:*:*:windows:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.46.3", "versionStartIncluding": "5.46.0"}, {"criteria": "cpe:2.3:a:svelte:svelte:*:*:linux:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.46.3", "versionStartIncluding": "5.46.0"}, {"criteria": "cpe:2.3:a:svelte:svelte:*:*:macos:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.46.3", "versionStartIncluding": "5.46.0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2026-01-15T19:59:41.683Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15265", "state": "PUBLISHED", "dateUpdated": "2026-01-15T20:28:16.479Z", "dateReserved": "2025-12-29T15:31:42.980Z", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "datePublished": "2026-01-15T19:59:41.683Z", "assignerShortName": "Fluid Attacks"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "388FECC8-EDAB-4046-96F5-AC7087330E95", "versionEndExcluding": "5.46.3", "versionStartIncluding": "5.46.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An SSR XSS exists in async hydration when attacker\u2011controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML\u2011safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise.\nThis issue affects Svelte: from 5.46.0 before 5.46.3."}], "id": "CVE-2025-15265", "lastModified": "2026-01-23T19:04:53.167", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "help@fluidattacks.com", "type": "Secondary"}]}, "published": "2026-01-15T20:16:03.490", "references": [{"source": "help@fluidattacks.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://fluidattacks.com/advisories/lydian"}, {"source": "help@fluidattacks.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://fluidattacks.com/advisories/lydian"}, {"source": "help@fluidattacks.com", "tags": ["Third Party Advisory"], "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3"}], "sourceIdentifier": "help@fluidattacks.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "help@fluidattacks.com", "type": "Primary"}]}

{"bugzilla": {"description": "Svelte: Svelte: Remote script execution via Cross-Site Scripting (XSS) in async hydration", "id": "2430177", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430177"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["A flaw was found in Svelte. A remote attacker can exploit this Cross-Site Scripting (XSS) vulnerability during asynchronous hydration by providing specially crafted input. This input, when processed, allows for the injection of arbitrary JavaScript into a user's browser due to improper escaping of attacker-controlled keys within a script block. Successful exploitation can lead to remote script execution, potentially resulting in session theft and account compromise."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-15265", "package_state": [{"cpe": "cpe:/a:redhat:podman_desktop:0", "fix_state": "Fix deferred", "package_name": "rhdesktop/rh-podman-desktop-ext-bootc-rhel10", "product_name": "Red Hat Build of Podman Desktop - Tech Preview"}], "public_date": "2026-01-15T19:59:41Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-15265\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-15265\nhttps://fluidattacks.com/advisories/lydian\nhttps://github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3"], "statement": "This vulnerability is rated Moderate for Red Hat products that incorporate Svelte versions 5.46.0 through 5.46.2 and utilize server-side rendering (SSR) with async hydration. Exploitation requires an attacker to control keys passed to hydratable components, leading to script injection and remote script execution in client browsers. This could result in session theft and account compromise for users interacting with affected applications.", "threat_severity": "Moderate"}

{}