CVE-2024-53262

Name of the Vulnerable Software and Affected Versions SvelteKit versions prior to 2.8.3

Description The static error.html template for errors in SvelteKit contains placeholders that are replaced without escaping the content first. This leads to possible injection if an app explicitly creates an error with a message that contains user-controlled content. The error.html page can contain placeholders such as %sveltekit.status% for the HTTP status and %sveltekit.error.message% for the error message. Only applications where user-provided input is used in the Error message will be vulnerable.

Recommendations For versions prior to 2.8.3, upgrade to version 2.8.3 or later to address this issue. As a temporary workaround, consider escaping the message string in the function that creates the HTML output to improve safety for applications that are using custom errors on the server. Restrict the use of user-provided input in the Error message to minimize the risk of exploitation.