5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-32388

CVE-2025-32388: @sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params

Summary

Unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL.

Details

SvelteKit tracks which parameters in event.url.searchParams are read inside server load functions. If the application iterates over the these parameters, the uses.search_params array included in the boot script (embedded in the server-rendered HTML) will have any search param name included in unsanitized form.

packages/kit/src/runtime/server/utils.js:150 has the stringify_uses(node) function which prints these out.

Reproduction

In a +page.server.js or +layout.server.js:

/** @type {import('@sveltejs/kit').Load} */
export function load(event) {
  const values = {};

  for (const key of event.url.searchParams.keys()) {
    values[key] = event.url.searchParams.get(key);
  }
}

If a user visits the page in question via a link containing ?</script/><script>window.pwned%3D1</script/>, the </script> will be included verbatim in the payload, causing the embedded script to be executed.

It is not necessary to return the parameter value from load or render it in the page, only to read it (which causes it to be tracked as a dependency) while load is running.

Impact

Any application that iterates over all values in event.url.searchParams in a load function in +page.server.js or +layout.server.js (directly or indirectly) is vulnerable to XSS.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-32388

CVE-2025-32388:

5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@sveltejs/kit	npm	>= 2.0.0, < 2.20.6	2.20.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability occurs because unsanitized search parameter names, when iterated over in a server load function, are tracked and then embedded into a script tag in the server-rendered HTML. The core issue lies in the stringify_uses function (in packages/kit/src/runtime/server/utils.js), which was responsible for preparing these tracked parameters for embedding. It used JSON.stringify for the array of parameter names, but JSON.stringify does not escape the '/' character. Thus, a parameter name like </script><script>alert(1)</script> would remain largely intact within the generated string. This unsafe string was then consumed by the get_data function (in packages/kit/src/runtime/server/page/render.js), which concatenated it into a larger data structure that was embedded directly into a <script> block in the HTML page. The HTML parser would then encounter the </script> sequence from the malicious parameter name and could terminate the script block prematurely, allowing the subsequent injected script to execute. The patch addressed this by:

Modifying stringify_uses (renamed to serialize_uses) to return a raw JavaScript object instead of a pre-formatted string.
Modifying get_data to take this object and use devalue.uneval to serialize the entire payload. devalue.uneval correctly escapes characters like < and /, making the output safe for embedding in HTML. A similar change was made in get_data_json, which also consumed stringify_uses. Therefore, stringify_uses is identified as vulnerable because it produced the unsafe string, and get_data is identified as vulnerable because it embedded this unsafe string into HTML leading to XSS.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-32388: @sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params

Summary

Details

Reproduction

Impact

CVE-2025-32388:

5.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

CVE-2025-32388: @sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params

Summary

Details

Reproduction

Impact

5.4

5.4

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI