We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-32388

SvelteKit allows XSS via tracked search_params



Description

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL. This vulnerability is fixed in 2.20.6.

Reserved 2025-04-06 | Published 2025-04-15 | Updated 2025-04-16 | Assigner GitHub_M


MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

>= 2.0.0, < 2.20.6
affected

References

github.com/...js/kit/security/advisories/GHSA-6q87-84jw-cjhp

github.com/...ommit/d3300c6a67908590266c363dba7b0835d9a194cf

github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.20.6

cve.org (CVE-2025-32388)

nvd.nist.gov (CVE-2025-32388)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-32388

Support options

Helpdesk Chat, Email, Knowledgebase