Vulnerability-Lookup

CVE-2024-53262 (GCVE-0-2024-53262)

Vulnerability from cvelistv5 – Published: 2024-11-25 19:07 – Updated: 2024-11-25 20:24

Title

Unescaped error message included on error page in SvelteKit

Summary

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else fails. It can contain the following placeholders: %sveltekit.status% — the HTTP status, and %sveltekit.error.message% — the error message. This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content. Only applications where user provided input is used in the `Error` message will be vulnerable, so the vast majority of applications will not be vulnerable This issue has been addressed in version 2.8.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity ?

2 (Low)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/sveltejs/kit/security/advisori…	x_refsource_CONFIRM
	https://github.com/sveltejs/kit/commit/134e36343e…	x_refsource_MISC
	https://kit.svelte.dev/docs/errors	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	sveltejs	kit	Affected: < 2.8.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-53262",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-25T20:23:50.461446Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-25T20:24:05.750Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kit",
          "vendor": "sveltejs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.8.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else fails. It can contain the following placeholders: %sveltekit.status% \u2014 the HTTP status, and %sveltekit.error.message% \u2014 the error message.  This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content. Only applications where user provided input is used in the `Error` message will be vulnerable, so the vast majority of applications will not be vulnerable This issue has been addressed in version 2.8.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2,
            "baseSeverity": "LOW",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-25T19:07:20.317Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-mh2x-fcqh-fmqv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-mh2x-fcqh-fmqv"
        },
        {
          "name": "https://github.com/sveltejs/kit/commit/134e36343ef57ed7e6e2b3bb9e7f05ad37865794",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sveltejs/kit/commit/134e36343ef57ed7e6e2b3bb9e7f05ad37865794"
        },
        {
          "name": "https://kit.svelte.dev/docs/errors",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://kit.svelte.dev/docs/errors"
        }
      ],
      "source": {
        "advisory": "GHSA-mh2x-fcqh-fmqv",
        "discovery": "UNKNOWN"
      },
      "title": "Unescaped error message included on error page in SvelteKit"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-53262",
    "datePublished": "2024-11-25T19:07:20.317Z",
    "dateReserved": "2024-11-19T20:08:14.481Z",
    "dateUpdated": "2024-11-25T20:24:05.750Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-53262\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-25T20:23:50.461446Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-25T20:23:55.782Z\"}}], \"cna\": {\"title\": \"Unescaped error message included on error page in SvelteKit\", \"source\": {\"advisory\": \"GHSA-mh2x-fcqh-fmqv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"sveltejs\", \"product\": \"kit\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.8.3\"}]}], \"references\": [{\"url\": \"https://github.com/sveltejs/kit/security/advisories/GHSA-mh2x-fcqh-fmqv\", \"name\": \"https://github.com/sveltejs/kit/security/advisories/GHSA-mh2x-fcqh-fmqv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/sveltejs/kit/commit/134e36343ef57ed7e6e2b3bb9e7f05ad37865794\", \"name\": \"https://github.com/sveltejs/kit/commit/134e36343ef57ed7e6e2b3bb9e7f05ad37865794\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://kit.svelte.dev/docs/errors\", \"name\": \"https://kit.svelte.dev/docs/errors\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else fails. It can contain the following placeholders: %sveltekit.status% \\u2014 the HTTP status, and %sveltekit.error.message% \\u2014 the error message.  This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content. Only applications where user provided input is used in the `Error` message will be vulnerable, so the vast majority of applications will not be vulnerable This issue has been addressed in version 2.8.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-25T19:07:20.317Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-53262\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-25T20:24:05.750Z\", \"dateReserved\": \"2024-11-19T20:08:14.481Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-11-25T19:07:20.317Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-53262

Vulnerability from fkie_nvd - Published: 2024-11-25 20:15 - Updated: 2025-08-28 14:39

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/sveltejs/kit/commit/134e36343ef57ed7e6e2b3bb9e7f05ad37865794	Patch
security-advisories@github.com	https://github.com/sveltejs/kit/security/advisories/GHSA-mh2x-fcqh-fmqv	Third Party Advisory
security-advisories@github.com	https://kit.svelte.dev/docs/errors	Issue Tracking

Impacted products

	Vendor	Product	Version
	svelte	sveltekit	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:svelte:sveltekit:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "2588130D-C9C2-47BC-B565-571E28BA17A8",
              "versionEndExcluding": "2.8.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else fails. It can contain the following placeholders: %sveltekit.status% \u2014 the HTTP status, and %sveltekit.error.message% \u2014 the error message.  This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content. Only applications where user provided input is used in the `Error` message will be vulnerable, so the vast majority of applications will not be vulnerable This issue has been addressed in version 2.8.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
    },
    {
      "lang": "es",
      "value": "SvelteKit es un framework para desarrollar r\u00e1pidamente aplicaciones web robustas y de alto rendimiento utilizando Svelte. La plantilla est\u00e1tica error.html para errores contiene marcadores de posici\u00f3n que se reemplazan sin escapar el contenido primero. error.html es la p\u00e1gina que se representa cuando todo lo dem\u00e1s falla. Puede contener los siguientes marcadores de posici\u00f3n: %sveltekit.status%: el estado HTTP y %sveltekit.error.message%: el mensaje de error. Esto conduce a una posible inyecci\u00f3n si una aplicaci\u00f3n crea expl\u00edcitamente un error con un mensaje que contiene contenido controlado por el usuario. Solo las aplicaciones en las que se utiliza la entrada proporcionada por el usuario en el mensaje `Error` ser\u00e1n vulnerables, por lo que la gran mayor\u00eda de las aplicaciones no ser\u00e1n vulnerables. Este problema se ha solucionado en la versi\u00f3n 2.8.3 y se recomienda a todos los usuarios que actualicen. No existen workarounds para esta vulnerabilidad."
    }
  ],
  "id": "CVE-2024-53262",
  "lastModified": "2025-08-28T14:39:17.583",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "HIGH",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 2.0,
          "baseSeverity": "LOW",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "ACTIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-11-25T20:15:10.423",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/sveltejs/kit/commit/134e36343ef57ed7e6e2b3bb9e7f05ad37865794"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-mh2x-fcqh-fmqv"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://kit.svelte.dev/docs/errors"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-MH2X-FCQH-FMQV

Vulnerability from github – Published: 2024-11-25 15:32 – Updated: 2024-11-25 21:46

Summary

@sveltejs/kit has unescaped error message included on error page

Details

Summary

The static error.html template for errors contains placeholders that are replaced without escaping the content first.

Details

From https://kit.svelte.dev/docs/errors:

error.html is the page that is rendered when everything else fails. It can contain the following placeholders: %sveltekit.status% — the HTTP status %sveltekit.error.message% — the error message

This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content that ends up being something like this inside a server handle function:

error(500, '<script>alert("boom")</script>');

Uncaught errors cannot be exploited like this, as they always render the message "Internal error".

Escaping the message string in the function that creates the html output can be done to improve safety for applications that are using custom errors on the server.

PoC

None provided

Impact

Only applications where user provided input is used in the Error message will be vulnerable, so the vast majority of applications will not be vulnerable

Severity ?

4.2 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

1.3 (Low)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@sveltejs/kit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-53262"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-25T15:32:45Z",
    "nvd_published_at": "2024-11-25T20:15:10Z",
    "severity": "LOW"
  },
  "details": "### Summary\n\nThe static error.html template for errors contains placeholders that are replaced without escaping the content first.\n\n### Details\n\nFrom https://kit.svelte.dev/docs/errors:\n\n\u003e error.html is the page that is rendered when everything else fails. It can contain the following placeholders:\n%sveltekit.status% \u2014 the HTTP status\n%sveltekit.error.message% \u2014 the error message\n\nThis leads to possible injection if an app explicitly creates an error with a message that contains user controlled content that ends up being something like this inside a server handle function: \n```js\nerror(500, \u0027\u003cscript\u003ealert(\"boom\")\u003c/script\u003e\u0027);\n```\nUncaught errors cannot be exploited like this, as they always render the message \"Internal error\".\n\nEscaping the message string in the function that creates the html output can be done to improve safety for applications that are using custom errors on the server.\n\n### PoC\n\nNone provided\n\n### Impact\n\nOnly applications where user provided input is used in the `Error` message will be vulnerable, so the vast majority of applications will not be vulnerable",
  "id": "GHSA-mh2x-fcqh-fmqv",
  "modified": "2024-11-25T21:46:57Z",
  "published": "2024-11-25T15:32:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-mh2x-fcqh-fmqv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53262"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/kit/pull/13050"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/kit/commit/134e36343ef57ed7e6e2b3bb9e7f05ad37865794"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sveltejs/kit"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.8.3"
    },
    {
      "type": "WEB",
      "url": "https://kit.svelte.dev/docs/errors"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@sveltejs/kit has unescaped error message included on error page"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-53262 (GCVE-0-2024-53262)

FKIE_CVE-2024-53262

GHSA-MH2X-FCQH-FMQV

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature