diff --git a/.changeset/famous-webs-flash.md b/.changeset/famous-webs-flash.md
new file mode 100644
index 0000000000..75a01f689a
--- /dev/null
+++ b/.changeset/famous-webs-flash.md
@@ -0,0 +1,5 @@
+---
+'svelte': patch
+---
+
+fix: disallow empty attribute names during SSR
diff --git a/packages/svelte/src/internal/server/index.js b/packages/svelte/src/internal/server/index.js
index 34d0133a31..12f76f188e 100644
--- a/packages/svelte/src/internal/server/index.js
+++ b/packages/svelte/src/internal/server/index.js
@@ -151,7 +151,7 @@ export function attributes(attrs, css_hash, classes, styles, flags = 0) {
 		// omit functions, internal svelte properties and invalid attribute names
 		if (typeof attrs[name] === 'function') continue;
 		if (name[0] === '$' && name[1] === '$') continue; // faster than name.startsWith('$$')
-		if (INVALID_ATTR_NAME_CHAR_REGEX.test(name)) continue;
+		if (name === '' || INVALID_ATTR_NAME_CHAR_REGEX.test(name)) continue;
 
 		var value = attrs[name];
 		var lower = name.toLowerCase();
diff --git a/packages/svelte/tests/server-side-rendering/samples/spread-attributes-event-handler-xss/main.svelte b/packages/svelte/tests/server-side-rendering/samples/spread-attributes-event-handler-xss/main.svelte
index 2a8c17f048..e47a19408e 100644
--- a/packages/svelte/tests/server-side-rendering/samples/spread-attributes-event-handler-xss/main.svelte
+++ b/packages/svelte/tests/server-side-rendering/samples/spread-attributes-event-handler-xss/main.svelte
@@ -5,7 +5,12 @@
 		onclick: 'alert(1)',
 		onerror: 'alert(1)',
 		onfocus: 'alert(1)',
-		onmouseover: 'alert(1)'
+		onmouseover: 'alert(1)',
+		' onload': 'alert(1)',
+		'\tonload': 'alert(1)',
+		'\u00a0onload': 'alert(1)',
+		"\t": "/onmouseover=alert(1)//",
+		"": "/onmouseover=alert(1)//"
 	};
 </script>