Svelte, ReDoS, CVE-2026-42567 (Moderate)

Listen to this Post

CVE-2026-42567 is a Regular Expression Denial of Service vulnerability in the Svelte runtime, specifically within the validation logic for the `` component’s `this` property. The runtime employs an internal regular expression to validate dynamic HTML tag names before rendering. This regex, when processing an input string of unconstrained length, can exhibit exponential backtracking behavior. For a crafted string containing a specific pattern of characters (such as repeated alternations or nested quantifiers), each additional character can double the number of internal states the regex engine must evaluate. This results in CPU time growing exponentially with the input length, quickly exhausting the event loop and rendering the application unresponsive. An attacker can trigger this state by supplying a maliciously long `this` value to a `` component, for example through a user-controlled property or API data. The vulnerability was introduced in version 5.51.5 and affects all versions up to and including 5.55.6. Applications that limit the length of the tag name or restrict it to a predetermined whitelist are not exploitable. The issue is fixed in Svelte version 5.55.7 by replacing the vulnerable regex with a safer, linear-time validation routine that does not rely on backtracking. The assigned CVSS v4 score is CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N, with High availability impact and Moderate overall severity.

dailycve form:

Platform: Svelte runtime
Version: <=5.55.6
Vulnerability : ReDoS (CWE-1333)
Severity: Moderate (CVSS:4.0)
date: 2026-05-14

Prediction: Patch within days

What Undercode Say:

Check current Svelte version
npm list svelte
Update to patched version
npm install [email protected]
Verify update was successful
npm list svelte | grep 5.55.7
Test for vulnerability (requires Node.js)
node -e "const { validate_tag } = require('svelte/internal'); const payload = 'a'.repeat(10000); console.time('validate'); validate_tag(payload); console.timeEnd('validate');"
Scan project for dangerous patterns
grep -r "<svelte:element this={" . --include=".svelte" | wc -l
Audit all dependencies for known ReDoS
npm audit --production | grep -i "redos"

Exploit:

An attacker supplies a highly repetitive string to the `this` attribute of <svelte:element>. The vulnerable regex enters catastrophic backtracking, consuming 100% CPU for seconds or minutes per request, leading to full application unavailability.

// Malicious payload example
const evil = '<svelte:element this={"a".repeat(10000) + "!"}></svelte:element>';
// The regex will take exponential time to reject the invalid tag name.

Protection from this CVE

– Immediately upgrade to Svelte `5.55.7` or later.
– If upgrade is not possible, sanitize and limit the length of any user-supplied tag name to fewer than 200 characters.
– Implement a whitelist of allowed tag names and reject all others.
– Deploy a Web Application Firewall (WAF) rule to block requests containing suspiciously long `this` parameters in Svelte components.
– Monitor CPU usage for unusual spikes and set up alerts.

Impact

– Availability: Complete denial of service; the Node.js process becomes unresponsive, requiring a restart.
– Attack vector: Remote, unauthenticated (if the tag name is sourced from user input).
– Business impact: Applications that render user‑supplied HTML tags or use `` with external data are at high risk of being taken offline.
– Exploit complexity: Low; the attacker only needs to control a string of moderate length (e.g., URL parameter, form field, API payload).

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top