CVE-2024-45047

Name of the Vulnerable Software and Affected Versions Svelte versions prior to 4.2.19

Description A potential mXSS vulnerability exists in Svelte due to improper HTML escaping on server-side rendering. The issue arises when the final DOM tree rendered on browsers differs from what Svelte expects, allowing for XSS attacks. This can occur when injecting malicious content into an attribute within a noscript tag. The estimated number of potentially affected devices is not specified.

Recommendations For versions prior to 4.2.19, upgrade to release version 4.2.19 to address the issue. As a temporary workaround, consider restricting the use of attributes within noscript tags to minimize the risk of exploitation. Avoid using user-inputted values for the href attribute in the affected API endpoint until the issue is resolved.