Medium severity5.4OSV Advisory· Published Apr 15, 2025· Updated Jun 17, 2026
CVE-2025-32388
CVE-2025-32388
Description
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL. This vulnerability is fixed in 2.20.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@sveltejs/kitnpm | >= 2.0.0, < 2.20.6 | 2.20.6 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-6q87-84jw-cjhpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-32388ghsaADVISORY
- github.com/sveltejs/kit/commit/d3300c6a67908590266c363dba7b0835d9a194cfnvdWEB
- github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.20.6nvdWEB
- github.com/sveltejs/kit/security/advisories/GHSA-6q87-84jw-cjhpnvdWEB
News mentions
0No linked articles in our index yet.