HIGH 7.5

CVE-2026-42567: Svelte ReDoS Vulnerability in Dynamic Element Tags

Svelte, a popular web framework known for performance, contains a vulnerability in its runtime that can be exploited to cause denial-of-service attacks. When certain dynamic element tags are processed, an internal regular expression pattern can consume exponential amounts of computation time, effectively freezing or crashing an application. Attackers can trigger this by sending crafted input to applications using affected Svelte versions, disrupting service availability without needing authentication or special privileges.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-1333
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. This issue has been patched in version 5.55.7.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42567 is a regular expression denial-of-service (ReDoS) vulnerability in Svelte's runtime affecting versions 5.51.5 through 5.55.6. The vulnerability resides in how the framework's regex engine processes the <svelte:element this={tag}> construct, a Svelte feature that dynamically renders HTML elements based on runtime variable values. When the regex validation logic encounters specially crafted input, it enters a pathological backtracking state, causing exponential time complexity. This is classified as a CWE-1333 issue (Inefficient Regular Expression Complexity). The CVSS 3.1 score of 7.5 (HIGH) reflects the attack's network accessibility, lack of authentication requirements, and impact on availability, though it does not result in confidentiality or integrity compromise.

Business impact

Applications built with vulnerable Svelte versions are susceptible to availability attacks. An attacker can send a single malicious request that causes the application server to consume CPU resources heavily, resulting in degraded performance or complete service outage. This is particularly concerning for customer-facing web applications, real-time platforms, and any service where uptime is critical. Unlike vulnerabilities requiring user interaction or authentication, this can be exploited remotely by any network-connected actor, making it a legitimate threat to production systems. The blast radius depends on how widely Svelte is deployed in your organization's stack.

Affected systems

Svelte versions 5.51.5 through 5.55.6 (inclusive) are vulnerable. Applications built with these versions that use the <svelte:element this={tag}> feature—or that accept untrusted tag input from users—are at direct risk. Development and staging environments running these versions should be considered affected as well. Organizations should inventory their Svelte dependencies across all web applications and development pipelines. The vulnerability does not affect Svelte versions prior to 5.51.5 or version 5.55.7 and later.

Exploitability

Exploitation is straightforward and does not require authentication, user interaction, or special privileges. An attacker needs only to craft input that triggers the regex backtracking behavior and send it to an endpoint that processes dynamic Svelte elements. The attack is network-accessible, meaning no local access is required. The relative simplicity of triggering the condition and the public nature of the vulnerability once disclosed increase the practical exploitability risk. However, actual impact depends on whether the vulnerable code path is actually reachable with untrusted input in a given deployment.

Remediation

Upgrade Svelte to version 5.55.7 or later. This is a straightforward dependency update that should be prioritized immediately for production systems. Organizations should test the patch in staging environments before deploying to production to ensure compatibility with their application logic, though Svelte patch releases are generally low-risk. For development teams unable to upgrade immediately, restrict the use of <svelte:element this={tag}> with untrusted user input as a temporary mitigation, though this may limit functionality.

Patch guidance

Update your Svelte dependency from version 5.51.5–5.55.6 to version 5.55.7 or later. In npm-based projects, run 'npm update svelte' or explicitly update to the patched version. Verify against the official Svelte repository or release notes to confirm the version installed is 5.55.7 or higher. If your build system or lock file pins a specific vulnerable version, manually update the version constraint and regenerate lock files. Test the updated build in a staging environment that mirrors production configuration before rolling out broadly. Teams using Svelte SvelteKit should also ensure SvelteKit is compatible with the updated Svelte version, though most recent versions support the patched Svelte release.

Detection guidance

Monitor dependencies in your codebase for Svelte versions in the 5.51.5–5.55.6 range using software composition analysis (SCA) tools such as npm audit, Snyk, or Dependabot. These tools can automatically flag the vulnerability in package.json or lock files. For runtime detection, monitor application server CPU usage spikes and response time degradation coinciding with requests containing unusual tag parameters in <svelte:element> scenarios. Collect and analyze logs for any evidence of crafted input attempting to trigger the regex pattern. Implement input validation on any user-supplied tag names before they reach the vulnerable Svelte component as a detective control.

Why prioritize this

This vulnerability merits immediate attention due to its HIGH CVSS score (7.5), lack of authentication requirements, network accessibility, and potential for complete service disruption. While the patch is simple and low-risk, the window between public disclosure and active exploitation is typically narrow for denial-of-service issues. Organizations with customer-facing Svelte applications should prioritize this in the next maintenance window. The vulnerability is not currently tracked in the CISA KEV catalog, but that does not diminish its risk—ReDoS vulnerabilities are frequently exploited once details are public.

Risk score, explained

The CVSS 3.1 score of 7.5 reflects: (1) Network-accessible attack vector requiring no authentication or user interaction (high exploitability), (2) no confidentiality or integrity impact (lower than maximum), and (3) significant availability impact through denial-of-service via CPU exhaustion (high impact). The score is driven primarily by ease of exploitation and availability impact rather than data breach risk. In real-world terms, this is a 'business continuity' risk rather than a 'data breach' risk, justifying the HIGH rating.

Frequently asked questions

Can this vulnerability lead to data loss or data theft?

No. The vulnerability impacts only availability (service disruption) through CPU exhaustion. It does not compromise confidentiality or integrity, meaning attackers cannot read sensitive data or modify application state. The risk is uptime, not data security.

Do I need to update Svelte if I don't use <svelte:element this={tag}>?

The vulnerability is specific to the <svelte:element> construct. However, if you are unsure whether this feature is used anywhere in your application—including in third-party Svelte components or libraries—upgrading is the safest approach. Code search and dependency audits can help, but a patch to 5.55.7 eliminates the risk entirely.

Is there a temporary workaround if I cannot update immediately?

As a short-term mitigation, avoid passing untrusted user input directly as the 'tag' parameter in <svelte:element>. Whitelist allowed tag names and validate input server-side before it reaches the Svelte component. This reduces exposure but is not a substitute for upgrading. Prioritize the patch within your next maintenance cycle.

Will updating Svelte to 5.55.7 break my application?

Svelte 5.55.7 is a patch release (not a major or minor version change), so it typically includes only bug fixes and security patches. Most applications should update without issues. Always test in a staging environment first, especially if you have custom build configurations or rely on specific Svelte internals, but breakage is rare.

This analysis is based on publicly disclosed information as of the publication and modification dates provided. Actual risk in your environment depends on your specific Svelte version, application architecture, and exposure of the vulnerable code path to untrusted input. Security teams should verify patch applicability against official vendor advisories and test thoroughly before deployment. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and recommends consulting with your security team and vendor documentation for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).