Miggo Logo
Miggo Vulnerability Database
CVE-2022-25875

CVE-2022-25875: Svelte vulnerable to XSS when using objects during server-side rendering

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-25875
GHSA ID
GHSA-wv8q-r932-8hc7
EPSS Score
0.64758%
CWE
CWE-79
Published
7/13/2022
Updated
9/7/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
sveltenpm< 3.49.03.49.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key issues in SSR attribute handling: 1) escape_attribute_value previously only escaped string values, leaving objects (including those with custom toString()) unescaped. 2) add_attribute directly used value.toString() without sufficient escaping. The patch addresses both by modifying escape_attribute_value to handle objects and changing add_attribute to use the escape function directly. The commit diff shows these functions were modified to fix improper attribute escaping, confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** sv*lt* ***or* *.**.* is vuln*r**l* to *ross-sit* S*riptin* (XSS) *u* to improp*r input s*nitiz*tion *n* to improp*r *s**p* o* *ttri*ut*s w**n usin* o*j**ts *urin* SSR (S*rv*r-Si** R*n**rin*). *xploitin* t*is vuln*r**ility is possi*l* vi*

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s in SSR *ttri*ut* **n*lin*: *) *s**p*_*ttri*ut*_v*lu* pr*viously only *s**p** strin* v*lu*s, l**vin* o*j**ts (in*lu*in* t*os* wit* *ustom toStrin*()) un*s**p**. *) ***_*ttri*ut* *ir**tly us** v*lu*.toStrin*(