CVE-2025-32388

Name of the Vulnerable Software and Affected Versions SvelteKit versions prior to 2.20.6

Description The issue arises from unsanitized search param names, leading to an XSS vulnerability. This occurs when iterating over all entries of event.url.searchParams inside a server load function. Attackers can exploit this by crafting a malicious URL and getting a user to click on it.

Recommendations For versions prior to 2.20.6, update to version 2.20.6 to resolve the issue. As a temporary workaround, consider avoiding the iteration over all entries of event.url.searchParams inside server load functions until the update is applied.