SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else fails. It can contain the following placeholders: %sveltekit.status% — the HTTP status, and %sveltekit.error.message% — the error message. This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content. Only applications where user provided input is used in the `Error` message will be vulnerable, so the vast majority of applications will not be vulnerable This issue has been addressed in version 2.8.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
History

Thu, 28 Aug 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Svelte
Svelte sveltekit
CPEs cpe:2.3:a:svelte:sveltekit:*:*:*:*:*:node.js:*:*
Vendors & Products Svelte
Svelte sveltekit
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}


Mon, 25 Nov 2024 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 25 Nov 2024 19:30:00 +0000

Type Values Removed Values Added
Description SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else fails. It can contain the following placeholders: %sveltekit.status% — the HTTP status, and %sveltekit.error.message% — the error message. This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content. Only applications where user provided input is used in the `Error` message will be vulnerable, so the vast majority of applications will not be vulnerable This issue has been addressed in version 2.8.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Title Unescaped error message included on error page in SvelteKit
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2024-11-25T20:24:05.750Z

Reserved: 2024-11-19T20:08:14.481Z

Link: CVE-2024-53262

cve-icon Vulnrichment

Updated: 2024-11-25T20:23:55.782Z

cve-icon NVD

Status : Analyzed

Published: 2024-11-25T20:15:10.423

Modified: 2025-08-28T14:39:17.583

Link: CVE-2024-53262

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.