CVE-2025-32388: SvelteKit allows XSS via tracked search_params
First published: Mon Apr 14 2025(Updated: )
### Summary Unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of `event.url.searchParams` inside a server `load` function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL. ### Details SvelteKit tracks which parameters in `event.url.searchParams` are read inside server `load` functions. If the application iterates over the these parameters, the `uses.search_params` array included in the boot script (embedded in the server-rendered HTML) will have any search param name included in unsanitized form. `packages/kit/src/runtime/server/utils.js:150` has the `stringify_uses(node)` function which prints these out. ### Reproduction In a `+page.server.js` or `+layout.server.js`: ```js /** @type {import('@sveltejs/kit').Load} */ export function load(event) { const values = {}; for (const key of event.url.searchParams.keys()) { values[key] = event.url.searchParams.get(key); } } ``` If a user visits the page in question via a link containing `?</script/><script>window.pwned%3D1</script/>`, the `</script>` will be included verbatim in the payload, causing the embedded script to be executed. It is not necessary to return the parameter value from `load` or render it in the page, only to read it (which causes it to be tracked as a dependency) while `load` is running. ### Impact Any application that iterates over all values in `event.url.searchParams` in a `load` function in `+page.server.js` or `+layout.server.js` (directly or indirectly) is vulnerable to XSS.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/@sveltejs/kit | >=2.0.0<2.20.6 | 2.20.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/sveltejs/kit/security/advisories/GHSA-6q87-84jw-cjhp
- https://github.com/sveltejs/kit/commit/d3300c6a67908590266c363dba7b0835d9a194cf
- https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.20.6
- https://nvd.nist.gov/vuln/detail/CVE-2025-32388
- https://github.com/advisories/GHSA-6q87-84jw-cjhp (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-32388?
CVE-2025-32388 is classified as a Cross-Site Scripting (XSS) vulnerability that can allow attackers to execute scripts in the context of users' sessions.
How do I fix CVE-2025-32388?
To fix CVE-2025-32388, upgrade to version 2.20.6 or later of the @sveltejs/kit package.
Who is affected by CVE-2025-32388?
Users are affected by CVE-2025-32388 if they iterate over all entries of event.url.searchParams inside a server load function.
What kind of attack vector is associated with CVE-2025-32388?
CVE-2025-32388 can be exploited through crafted malicious URLs that users are tricked into clicking.
Is the vulnerability CVE-2025-32388 present in earlier versions of the software?
Yes, CVE-2025-32388 affects versions of @sveltejs/kit from 2.0.0 up to but not including 2.20.6.
- agent/weakness
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/type
- agent/description
- collector/nvd-api
- source/NVD
- agent/source
- agent/severity
- agent/author
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-6q87-84jw-cjhp
- alias/CVE-2025-32388
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/tags
- collector/nvd-cve
- package-manager/npm