CVE-2024-53261

Description

### Summary "Unsanitized input from *the request URL* flows into `end`, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)." ### Details Source of potentially tainted data is in `packages/kit/src/exports/vite/dev/index.js`, line 437. This potentially tainted data is passed through a number of steps (which I could detail if you'd like) all the way down to line 91 in `packages/kit/src/exports/vite/utils.js`, which performs an operation that Snyk believes an attacker shouldn't be allowed to manipulate. Another source of potentially tainted data (according to Snyk) comes from `‎packages/kit/src/exports/vite/utils.js`, line 30, col 30 (i.e., the `url` property of `req`). This potentially tainted data is passed through a number of steps (which I could detail if you'd like) all the way down line 91 in `packages/kit/src/exports/vite/utils.js`, which performs an operation that Snyk believes an attacker shouldn't be allowed to manipulate. ### PoC Not provided ### Impact Little to none. The Vite development is not exposed to the network by default. And even if someone were able to trick a developer into executing an XSS against themselves, a development database should not have any sensitive data.

Affected packages (1)

• npm/@sveltejs/kitfrom 0, < 2.8.3

CVSS scores

References (6)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-53261
• PATCHhttps://github.com/sveltejs/kit
• WEBhttps://github.com/sveltejs/kit/commit/d338d4635a7fd947ba5112df6ee632c4a0979438
• WEBhttps://github.com/sveltejs/kit/pull/13039
• WEBhttps://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.8.3
• WEBhttps://github.com/sveltejs/kit/security/advisories/GHSA-rjjv-87mx-6x3h