CVE-2024-53262

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else fails. It can contain the following placeholders: %sveltekit.status% — the HTTP status, and %sveltekit.error.message% — the error message. This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content. Only applications where user provided input is used in the `Error` message will be vulnerable, so the vast majority of applications will not be vulnerable This issue has been addressed in version 2.8.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/sveltejs/kit/commit/134e36343ef57ed7e6e2b3bb9e7f05ad37865794	Patch
https://github.com/sveltejs/kit/security/advisories/GHSA-mh2x-fcqh-fmqv	Third Party Advisory
https://kit.svelte.dev/docs/errors	Issue Tracking

Configurations

Configuration 1 (hide)

cpe:2.3:a:svelte:sveltekit:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2024-11-25 20:15

Updated : 2025-08-28 14:39

NVD link : CVE-2024-53262

Mitre link : CVE-2024-53262

CVE.ORG link : CVE-2024-53262

JSON object : View

Products Affected

svelte

sveltekit

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-53262", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2024-11-25T20:15:10.423", "references": [{"url": "https://github.com/sveltejs/kit/commit/134e36343ef57ed7e6e2b3bb9e7f05ad37865794", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/sveltejs/kit/security/advisories/GHSA-mh2x-fcqh-fmqv", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://kit.svelte.dev/docs/errors", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else fails. It can contain the following placeholders: %sveltekit.status% \u2014 the HTTP status, and %sveltekit.error.message% \u2014 the error message. This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content. Only applications where user provided input is used in the `Error` message will be vulnerable, so the vast majority of applications will not be vulnerable This issue has been addressed in version 2.8.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "SvelteKit es un framework para desarrollar r\u00e1pidamente aplicaciones web robustas y de alto rendimiento utilizando Svelte. La plantilla est\u00e1tica error.html para errores contiene marcadores de posici\u00f3n que se reemplazan sin escapar el contenido primero. error.html es la p\u00e1gina que se representa cuando todo lo dem\u00e1s falla. Puede contener los siguientes marcadores de posici\u00f3n: %sveltekit.status%: el estado HTTP y %sveltekit.error.message%: el mensaje de error. Esto conduce a una posible inyecci\u00f3n si una aplicaci\u00f3n crea expl\u00edcitamente un error con un mensaje que contiene contenido controlado por el usuario. Solo las aplicaciones en las que se utiliza la entrada proporcionada por el usuario en el mensaje `Error` ser\u00e1n vulnerables, por lo que la gran mayor\u00eda de las aplicaciones no ser\u00e1n vulnerables. Este problema se ha solucionado en la versi\u00f3n 2.8.3 y se recomienda a todos los usuarios que actualicen. No existen workarounds para esta vulnerabilidad."}], "lastModified": "2025-08-28T14:39:17.583", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:svelte:sveltekit:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "2588130D-C9C2-47BC-B565-571E28BA17A8", "versionEndExcluding": "2.8.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}