CVE-2025-32388: @sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params
(updated )
Unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL.
References
- github.com/advisories/GHSA-6q87-84jw-cjhp
- github.com/sveltejs/kit
- github.com/sveltejs/kit/commit/d3300c6a67908590266c363dba7b0835d9a194cf
- github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.20.6
- github.com/sveltejs/kit/security/advisories/GHSA-6q87-84jw-cjhp
- nvd.nist.gov/vuln/detail/CVE-2025-32388
Code Behaviors & Features
Detect and mitigate CVE-2025-32388 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →