VYPR
Medium severity5.4OSV Advisory· Published Apr 15, 2025· Updated Jun 17, 2026

CVE-2025-32388

CVE-2025-32388

Description

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL. This vulnerability is fixed in 2.20.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@sveltejs/kitnpm
>= 2.0.0, < 2.20.62.20.6

Affected products

2
  • Range: @sveltejs/adapter-auto@2.0.1, @sveltejs/adapter-auto@2.1.0, @sveltejs/adapter-auto@2.1.1, …
  • ghsa-coords
    Range: >= 2.0.0, < 2.20.6

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.