7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.3 High
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
17.1%
In SvelteKit 2 sending a GET request with a body eg {}
to a SvelteKit app in preview or with adapter-node
throws Request with GET/HEAD method cannot have body.
and crashes the app.
node:internal/deps/undici/undici:6066
throw new TypeError("Request with GET/HEAD method cannot have body.");
^
TypeError: Request with GET/HEAD method cannot have body.
at new Request (node:internal/deps/undici/undici:6066:17)
at getRequest (file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/node/index.js:107:9)
at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:181:26
at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:172:6
at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:211:27
at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
Node.js v20.11.0
TRACE
requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected.
First do a fresh install of SvelteKit 2 with the example app. Typescript.
npm run build
npm run preview
Denial of Service for apps using adapter-node
CPE | Name | Operator | Version |
---|---|---|---|
@sveltejs/adapter-node | eq | 4.0.0 | |
@sveltejs/adapter-node | lt | 3.0.3 | |
@sveltejs/adapter-node | lt | 2.1.2 | |
@sveltejs/kit | lt | 2.4.3 |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.3 High
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
17.1%