CVE-2025-32388 Information

Apr 16, 2025 cve

Description

SvelteKit is a framework for rapidly developing robust performant web applications using Svelte. Prior to 2.20.6 unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL. This vulnerability is fixed in 2.20.6.

Reference

https://github.com/sveltejs/kit/commit/d3300c6a67908590266c363dba7b0835d9a194cf https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.20.6 https://github.com/sveltejs/kit/security/advisories/GHSA-6q87-84jw-cjhp SvelteKit is a framework for rapidly developing robust performant web applications using Svelte. Prior to 2.20.6

unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL. This vulnerability is fixed in 2.20.6.

Share on: