CVE-2024-53261

Name of the Vulnerable Software and Affected Versions SvelteKit versions prior to 2.8.3

Description Unsanitized input from the request URL flows into end, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS). The files packages/kit/src/exports/vite/dev/index.js and packages/kit/src/exports/vite/utils.js both contain user controllable data which under specific conditions may flow to dev mode pages. There is little to no expected impact, as the Vite development is not exposed to the network by default and a development database should not have any sensitive data.

Recommendations For versions prior to 2.8.3, upgrade to version 2.8.3 to address the issue. As a temporary workaround, consider restricting access to the end function and the files packages/kit/src/exports/vite/dev/index.js and packages/kit/src/exports/vite/utils.js to minimize the risk of exploitation. Avoid using user-controllable data in the url property of req in packages/kit/src/exports/vite/utils.js until the issue is resolved.