CVE-2026-42567: CWE-1333: Inefficient Regular Expression Complexity in sveltejs svelte
Svelte versions from 5. 51. 5 up to but not including 5. 55. 7 contain an inefficient regular expression in the runtime that can cause exponential time complexity when testing certain elements. This issue affects the <svelte:element this={tag}></svelte:element> construct. The vulnerability has been fixed in version 5. 55. 7. The CVSS 4.
AI Analysis
Technical Summary
CVE-2026-42567 describes a vulnerability in the Svelte web framework where an internal regular expression used in the runtime exhibits exponential time complexity when processing the <svelte:element this={tag}></svelte:element> syntax. This inefficiency can lead to performance degradation or denial of service conditions. The affected versions are from 5.51.5 up to but not including 5.55.7. The issue has been patched in version 5.55.7. No known exploits in the wild have been reported.
Potential Impact
The vulnerability can cause significant performance degradation due to the exponential time complexity of the regex evaluation, potentially leading to denial of service in applications using affected Svelte versions. The impact requires high privileges and user interaction, and the attack complexity is high, limiting the ease of exploitation.
Mitigation Recommendations
Upgrade Svelte to version 5.55.7 or later, where this inefficient regular expression issue has been patched. No other mitigation steps are indicated by the vendor advisory. Patch status is confirmed by the version fix information.
CVE-2026-42567: CWE-1333: Inefficient Regular Expression Complexity in sveltejs svelte
Description
Svelte versions from 5. 51. 5 up to but not including 5. 55. 7 contain an inefficient regular expression in the runtime that can cause exponential time complexity when testing certain elements. This issue affects the <svelte:element this={tag}></svelte:element> construct. The vulnerability has been fixed in version 5. 55. 7. The CVSS 4.
CVSS v4.0
Score 5.9medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-42567 describes a vulnerability in the Svelte web framework where an internal regular expression used in the runtime exhibits exponential time complexity when processing the <svelte:element this={tag}></svelte:element> syntax. This inefficiency can lead to performance degradation or denial of service conditions. The affected versions are from 5.51.5 up to but not including 5.55.7. The issue has been patched in version 5.55.7. No known exploits in the wild have been reported.
Potential Impact
The vulnerability can cause significant performance degradation due to the exponential time complexity of the regex evaluation, potentially leading to denial of service in applications using affected Svelte versions. The impact requires high privileges and user interaction, and the attack complexity is high, limiting the ease of exploitation.
Mitigation Recommendations
Upgrade Svelte to version 5.55.7 or later, where this inefficient regular expression issue has been patched. No other mitigation steps are indicated by the vendor advisory. Patch status is confirmed by the version fix information.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-28T17:26:12.084Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a284cbb8dd33fbd85664539
Added to database: 6/9/2026, 5:26:19 PM
Last enriched: 6/9/2026, 11:26:51 PM
Last updated: 6/10/2026, 6:13:10 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.