{
  "schema_version": "1.4.0",
  "id": "GHSA-6q87-84jw-cjhp",
  "modified": "2025-04-16T00:40:49Z",
  "published": "2025-04-14T19:10:42Z",
  "aliases": [
    "CVE-2025-32388"
  ],
  "summary": "@sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params",
  "details": "### Summary\n\nUnsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of `event.url.searchParams` inside a server `load` function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL.\n\n### Details\n\nSvelteKit tracks which parameters in `event.url.searchParams` are read inside server `load` functions. If the application iterates over the these parameters, the `uses.search_params` array included in the boot script (embedded in the server-rendered HTML) will have any search param name included in unsanitized form.\n\n`packages/kit/src/runtime/server/utils.js:150` has the `stringify_uses(node)` function which prints these out.\n\n### Reproduction\n\nIn a `+page.server.js` or `+layout.server.js`:\n\n```js\n/** @type {import('@sveltejs/kit').Load} */\nexport function load(event) {\n  const values = {};\n\n  for (const key of event.url.searchParams.keys()) {\n    values[key] = event.url.searchParams.get(key);\n  }\n}\n```\n\nIf a user visits the page in question via a link containing `?</script/><script>window.pwned%3D1</script/>`, the `</script>` will be included verbatim in the payload, causing the embedded script to be executed.\n\nIt is not necessary to return the parameter value from `load` or render it in the page, only to read it (which causes it to be tracked as a dependency) while `load` is running.\n\n### Impact\n\nAny application that iterates over all values in `event.url.searchParams` in a `load` function in `+page.server.js` or `+layout.server.js` (directly or indirectly) is vulnerable to XSS.",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@sveltejs/kit"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.20.6"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-6q87-84jw-cjhp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32388"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/kit/commit/d3300c6a67908590266c363dba7b0835d9a194cf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sveltejs/kit"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.20.6"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-14T19:10:42Z",
    "nvd_published_at": "2025-04-15T23:15:42Z"
  }
}