{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27125", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-17T18:42:27.043Z", "datePublished": "2026-02-20T22:29:45.364Z", "dateUpdated": "2026-02-25T21:33:14.822Z"}, "containers": {"cna": {"title": "Svelte SSR attribute spreading includes inherited properties from prototype chain", "problemTypes": [{"descriptions": [{"cweId": "CWE-915", "lang": "en", "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp"}, {"name": "https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee90755f", "tags": ["x_refsource_MISC"], "url": "https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee90755f"}, {"name": "https://github.com/sveltejs/svelte/releases/tag/svelte@5.51.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/sveltejs/svelte/releases/tag/svelte@5.51.5"}], "affected": [{"vendor": "sveltejs", "product": "svelte", "versions": [{"version": "< 5.51.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-20T22:29:45.364Z"}, "descriptions": [{"lang": "en", "value": "svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted \u2014 a precondition outside of Svelte's control \u2014 this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5."}], "source": {"advisory": "GHSA-crpf-4hrx-3jrp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T21:33:01.018593Z", "id": "CVE-2026-27125", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:33:14.822Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27125", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T21:33:01.018593Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:33:10.378Z"}}], "cna": {"title": "Svelte SSR attribute spreading includes inherited properties from prototype chain", "source": {"advisory": "GHSA-crpf-4hrx-3jrp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "sveltejs", "product": "svelte", "versions": [{"status": "affected", "version": "< 5.51.5"}]}], "references": [{"url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp", "name": "https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee90755f", "name": "https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee90755f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/sveltejs/svelte/releases/tag/svelte@5.51.5", "name": "https://github.com/sveltejs/svelte/releases/tag/svelte@5.51.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted \u2014 a precondition outside of Svelte's control \u2014 this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-915", "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-20T22:29:45.364Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27125", "state": "PUBLISHED", "dateUpdated": "2026-02-25T21:33:14.822Z", "dateReserved": "2026-02-17T18:42:27.043Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-20T22:29:45.364Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "95D3F8E1-FD81-4A9E-900E-5C66951A10BB", "versionEndExcluding": "5.51.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted \u2014 a precondition outside of Svelte's control \u2014 this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5."}], "id": "CVE-2026-27125", "lastModified": "2026-02-23T20:52:23.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-20T23:16:02.780", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee90755f"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/sveltejs/svelte/releases/tag/svelte@5.51.5"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-915"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "svelte: Svelte SSR attribute spreading includes inherited properties from prototype chain", "id": "2441511", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441511"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-915", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27125", "package_state": [{"cpe": "cpe:/a:redhat:podman_desktop:0", "fix_state": "Fix deferred", "package_name": "rhdesktop/rh-podman-desktop-ext-bootc-rhel10", "product_name": "Red Hat Build of Podman Desktop - Tech Preview"}], "public_date": "2026-02-20T22:29:45Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27125\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27125\nhttps://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee90755f\nhttps://github.com/sveltejs/svelte/releases/tag/svelte@5.51.5\nhttps://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.51.5)"}}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 93.0, "source": "matching"}]}, "original": {"product": "svelte", "source": "cna", "vendor": "sveltejs"}, "product": "svelte", "vendor": "svelte"}], "analysis": {"en": {"generated_at": "2026-04-18T11:22:47.661157+00:00", "value": {"mitigation_remediation": ["Upgrade Svelte to version 5.51.5 or later to apply the fix that restricts attribute spreading to own properties only.", "Inspect your Node.js environment for prototype pollution by reviewing dependencies that modify Object.prototype, and upgrade or patch those libraries as needed.", "Until a newer Svelte release is available, avoid using the spread syntax in SSR templates or sanitize the attribute object to include only own properties before spreading."], "summary": {"action": "Apply Patch", "impact": "Unintended attributes or errors in server\u2011side rendered output"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to any deployment of Svelte version 5.51.4 or earlier that performs server\u2011side rendering. Users must verify the Svelte version by inspecting package.json or running npm list svelte. The affected runtime is Node.js environments that include Svelte SSR.", "description_and_impact": "Svelte\u2019s server\u2011side rendering logic was previously designed to spread custom attributes onto elements using the syntax <div {...attrs}>. The implementation enumerated all enumerable properties of the provided object, including those inherited from the prototype chain. This unintended inclusion of inherited properties is a manifestation of CWE\u2011915. If the global Object.prototype had been modified\u2014an event Svelte does not control\u2014the spread operation could inject additional, unintended attributes into the rendered HTML or cause the renderer to throw exceptions. This flaw does not affect client\u2011side rendering and is limited to environments where SSR is performed.", "risk_and_exploitability": "The flaw carries a CVSS score of 5.3, placing it in the moderate range. The EPSS score is below 1\u202f%, indicating a low likelihood of exploitation at the time of analysis. The issue is not listed in CISA\u2019s KEV catalog. Exploitation would require an attacker to supply a polluted Object.prototype or supply a user\u2011controlled object that has unexpected inherited properties. Because Svelte\u2019s implementation does not filter or validate the source of attributes, an attacker could cause the SSR pipeline to emit extraneous attributes that may leak data or trigger runtime failures, but the impact remains confined to the generated markup and does not allow execution of arbitrary code."}}}}, "created": "2026-02-23T14:33:32.342867+00:00", "updated": "2026-04-18T11:30:44.315447+00:00", "vendors": ["svelte", "svelte$PRODUCT$svelte"]}