Benmccann

**Name of the Vulnerable Software and Affected Versions** SvelteKit versions prior to 2.8.3 **Description** Unsanitized input from the request URL flows into `end`, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS). The files `packages/kit/src/exports/vite/dev/index.js` and `packages/kit/src/exports/vite/utils.js` both contain user controllable data which under specific conditions may flow to dev mode pages. There is little to no expected impact, as the Vite development is not exposed to the network by default and a development database should not have any sensitive data. **Recommendations** For versions prior to 2.8.3, upgrade to version 2.8.3 to address the issue. As a temporary workaround, consider restricting access to the `end` function and the files `packages/kit/src/exports/vite/dev/index.js` and `packages/kit/src/exports/vite/utils.js` to minimize the risk of exploitation. Avoid using user-controllable data in the `url` property of `req` in `packages/kit/src/exports/vite/utils.js` until the issue is resolved.