CVE-2024-53261
@sveltejs/kit vulnerable to XSS on dev mode 404 page
Description
### Summary "Unsanitized input from *the request URL* flows into `end`, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)." ### Details Source of potentially tainted data is in `packages/kit/src/exports/vite/dev/index.js`, line 437. This potentially tainted data is passed through a number of steps (which I could detail if you'd like) all the way down to line 91 in `packages/kit/src/exports/vite/utils.js`, which performs an operation that Snyk believes an attacker shouldn't be allowed to manipulate. Another source of potentially tainted data (according to Snyk) comes from `packages/kit/src/exports/vite/utils.js`, line 30, col 30 (i.e., the `url` property of `req`). This potentially tainted data is passed through a number of steps (which I could detail if you'd like) all the way down line 91 in `packages/kit/src/exports/vite/utils.js`, which performs an operation that Snyk believes an attacker shouldn't be allowed to manipulate. ### PoC Not provided ### Impact Little to none. The Vite development is not exposed to the network by default. And even if someone were able to trick a developer into executing an XSS against themselves, a development database should not have any sensitive data.
How to fix CVE-2024-53261
To remediate CVE-2024-53261, upgrade the affected package to a fixed version below.
- —upgrade to 2.8.3 or later
Is CVE-2024-53261 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.8.3