CVE-2024-53261 – @sveltejs/kit

Package

Manager: npm
Name: @sveltejs/kit
Vulnerable Version: >=0 <2.8.3

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00065 pctl0.2065

Details

@sveltejs/kit vulnerable to XSS on dev mode 404 page ### Summary "Unsanitized input from *the request URL* flows into `end`, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)." ### Details Source of potentially tainted data is in `packages/kit/src/exports/vite/dev/index.js`, line 437. This potentially tainted data is passed through a number of steps (which I could detail if you'd like) all the way down to line 91 in `packages/kit/src/exports/vite/utils.js`, which performs an operation that Snyk believes an attacker shouldn't be allowed to manipulate. Another source of potentially tainted data (according to Snyk) comes from `‎packages/kit/src/exports/vite/utils.js`, line 30, col 30 (i.e., the `url` property of `req`). This potentially tainted data is passed through a number of steps (which I could detail if you'd like) all the way down line 91 in `packages/kit/src/exports/vite/utils.js`, which performs an operation that Snyk believes an attacker shouldn't be allowed to manipulate. ### PoC Not provided ### Impact Little to none. The Vite development is not exposed to the network by default. And even if someone were able to trick a developer into executing an XSS against themselves, a development database should not have any sensitive data.

Metadata

Created: 2024-11-25T15:33:19Z
Modified: 2025-01-22T20:54:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-rjjv-87mx-6x3h/GHSA-rjjv-87mx-6x3h.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-rjjv-87mx-6x3h
Finding: F008
Auto approve: 1