chore(deps): update dependency svelte to v4.2.19 [security] - autoclosed #902

renovate · 2024-08-30T17:33:35Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
svelte (source)	`4.2.12` -> `4.2.19`

GitHub Vulnerability Alerts

CVE-2024-45047

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

If the string is an attribute value:
- " -> "
- & -> &
- Other characters -> No conversion
Otherwise:
- < -> <
- & -> &
- Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

Release Notes

sveltejs/svelte (svelte)

`v4.2.19`

Compare Source

Patch Changes

fix: ensure typings for <svelte:options> are picked up (#12902)
fix: escape < in attribute strings (#12989)

`v4.2.18`

Compare Source

Patch Changes

chore: speed up regex (#11922)

`v4.2.17`

Compare Source

Patch Changes

fix: correctly handle falsy values of style directives in SSR mode (#11584)

`v4.2.16`

Compare Source

Patch Changes

fix: check if svelte component exists on custom element destroy (#11489)

`v4.2.15`

Compare Source

Patch Changes

support attribute selector inside :global() (#11135)

`v4.2.14`

Compare Source

Patch Changes

fix parsing camelcase container query name (#11131)

`v4.2.13`

Compare Source

Patch Changes

fix: applying :global for +,~ sibling combinator when slots are present (#9282)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

chore(deps): update dependency svelte to v4.2.19 [security]

e2c76d7

renovate bot changed the title ~~chore(deps): update dependency svelte to v4.2.19 [security]~~ chore(deps): update dependency svelte to v4.2.19 [security] - autoclosed Sep 12, 2024

renovate bot closed this Sep 12, 2024

renovate bot deleted the renovate/npm-svelte-vulnerability branch September 12, 2024 20:02

jhthorsen self-assigned this Sep 12, 2024

jhthorsen added the dependencies Pull requests that update a dependency file label Sep 12, 2024

jhthorsen added this to the dependabot milestone Sep 12, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency svelte to v4.2.19 [security] - autoclosed #902

chore(deps): update dependency svelte to v4.2.19 [security] - autoclosed #902

renovate bot commented Aug 30, 2024

chore(deps): update dependency svelte to v4.2.19 [security] - autoclosed #902

chore(deps): update dependency svelte to v4.2.19 [security] - autoclosed #902

Conversation

renovate bot commented Aug 30, 2024

GitHub Vulnerability Alerts

Summary

Details

PoC

Impact

Release Notes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Configuration