GHSA-GW32-9RMW-QWWW: Svelte SSR XSS: The Textarea Trap

Source: Dev.to

Vulnerability Overview

• ID: GHSA-GW32-9RMW-QWWW
• CVSS Score: 8.4 (High)
• Published: 2026-01-16
• CWE: CWE-79
• Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:H/SA:N
• Attack Vector: Network
• Type: XSS (Cross‑Site Scripting)

Description

A high‑severity XSS vulnerability exists in Svelte’s Server‑Side Rendering (SSR) compiler. The compiler fails to escape the content of bind:value directives on <textarea> elements during SSR. Because <textarea> contents are children, not attributes, an attacker can inject </textarea> to break out of the tag context and execute arbitrary JavaScript.

The issue is fixed in Svelte 3.59.2.

Affected Versions

• Svelte ≥ 3.0.0 < 3.59.2
• SvelteKit applications using SSR mode with the vulnerable compiler

Fix

The patch escapes textarea children during SSR:

@@ -149,7 +149,7 @@ export default function (node: Element, renderer: Renderer, options: RenderOptio
            // value = name === 'textContent' ? x`@escape($$value)` : x`$$value`;
        } else if (binding.name === 'value' && node.name === 'textarea') {
            const snippet = expression.node;
-           node_contents = x`${snippet} || ""`;
+           node_contents = x`@escape(${snippet} || "")`;
        } else if (binding.name === 'value' && node.name === 'select') {

Remediation Steps

1. Check the Svelte version in package.json.

2. Upgrade to Svelte 3.59.2 or later:

   npm install svelte@latest
   # or
   yarn upgrade svelte

3. Verify the installed version:

   npm list svelte

4. Rebuild and redeploy the application to ensure the compiler generates safe code.

References

• GitHub Advisory – GHSA‑GW32‑9RMW‑QWWW
• OSV entry (link)
• Full report for GHSA‑GW32‑9RMW‑QWWW (interactive diagrams and exploit analysis)