Nixpkgs Security Tracker

Dismissed

Permalink CVE-2026-27125

updated 3 weeks, 4 days ago by @pyrox0 Activity log

Created automatic suggestion 1 month ago
@pyrox0 removed
10 packages
- svelte-check
- svelte-language-server
- nodePackages.svelte-check
- nodePackages_latest.svelte-check
- vscode-extensions.svelte.svelte-vscode
- tree-sitter-grammars.tree-sitter-svelte
- vimPlugins.nvim-treesitter-parsers.svelte
- python312Packages.tree-sitter-grammars.tree-sitter-svelte
- python313Packages.tree-sitter-grammars.tree-sitter-svelte
- python314Packages.tree-sitter-grammars.tree-sitter-svelte
3 weeks, 4 days ago
@pyrox0 dismissed 3 weeks, 4 days ago

Svelte SSR attribute spreading includes inherited properties from prototype chain

svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.

References

https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp x_refsource_CONFIRM
https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee90755f x_refsource_MISC
https://github.com/sveltejs/svelte/releases/tag/svelte@5.51.5 x_refsource_MISC

Affected products

svelte

==< 5.51.5

Ignored packages (10)

pkgs.svelte-check

Svelte code checker

nixos-unstable 4.3.1
- nixpkgs-unstable 4.3.1
- nixos-unstable-small 4.3.1
nixos-25.11 4.3.1
- nixos-25.11-small 4.3.1
- nixpkgs-25.11-darwin 4.3.1

pkgs.svelte-language-server

Language server (implementing the language server protocol) for Svelte

nixos-unstable 0.17.25
- nixpkgs-unstable 0.17.25
- nixos-unstable-small 0.17.25
nixos-25.11 0.17.21
- nixos-25.11-small 0.17.21
- nixpkgs-25.11-darwin 0.17.21

pkgs.nodePackages.svelte-check

Svelte Code Checker Terminal Interface

pkgs.nodePackages_latest.svelte-check

Svelte Code Checker Terminal Interface

pkgs.vscode-extensions.svelte.svelte-vscode

Svelte language support for VS Code

nixos-unstable 109.13.0
- nixpkgs-unstable 109.13.0
- nixos-unstable-small 109.13.0
nixos-25.11 109.12.0
- nixos-25.11-small 109.12.0
- nixpkgs-25.11-darwin 109.12.0

pkgs.tree-sitter-grammars.tree-sitter-svelte

None

nixos-unstable 0.11.0
- nixpkgs-unstable 0.11.0
- nixos-unstable-small 0.11.0
nixos-25.11 0.25.10
- nixos-25.11-small 0.25.10
- nixpkgs-25.11-darwin 0.25.10

pkgs.vimPlugins.nvim-treesitter-parsers.svelte

None

nixos-unstable 0.0.0+rev=ae5199d
- nixpkgs-unstable 0.0.0+rev=ae5199d
- nixos-unstable-small 0.0.0+rev=ae5199d
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

pkgs.python312Packages.tree-sitter-grammars.tree-sitter-svelte

Python bindings for tree-sitter-svelte

nixos-25.11 0.25.10
- nixos-25.11-small 0.25.10
- nixpkgs-25.11-darwin 0.25.10

pkgs.python313Packages.tree-sitter-grammars.tree-sitter-svelte

Python bindings for tree-sitter-svelte

nixos-unstable 0.11.0
- nixpkgs-unstable 0.11.0
- nixos-unstable-small 0.11.0
nixos-25.11 0.25.10
- nixos-25.11-small 0.25.10
- nixpkgs-25.11-darwin 0.25.10

pkgs.python314Packages.tree-sitter-grammars.tree-sitter-svelte

Python bindings for tree-sitter-svelte

nixos-unstable 0.11.0
- nixpkgs-unstable 0.11.0
- nixos-unstable-small 0.11.0

Does not affect any of the listed packages.

Suggestion detail

References

Affected products

pkgs.svelte-check

pkgs.svelte-language-server

pkgs.nodePackages.svelte-check

pkgs.nodePackages_latest.svelte-check

pkgs.vscode-extensions.svelte.svelte-vscode

pkgs.tree-sitter-grammars.tree-sitter-svelte

pkgs.vimPlugins.nvim-treesitter-parsers.svelte

pkgs.python312Packages.tree-sitter-grammars.tree-sitter-svelte

pkgs.python313Packages.tree-sitter-grammars.tree-sitter-svelte

pkgs.python314Packages.tree-sitter-grammars.tree-sitter-svelte