SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only)

Some relatively small inputs can cause very large files arrays in form handlers. If the SvelteKit application code doesn't check files.length or individual files' sizes and performs expensive processing with them, it can result in Denial of Service. Only users with experimental.remoteFunctions:...

Access of Resource Using Incompatible Type ('Type Confusion')

Overview @sveltejs/kit is a SvelteKit framework and CLI Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type 'Type Confusion' via the remote form deserialization. An attacker can cause the server to become unresponsive and exhaust CPU resources by...

Memory exhaustion in SvelteKit remote form deserialization (experimental only)

Versions of @sveltejs/kit prior to 2.52.2 with remote functions enabled can be vulnerable to memory exhaustion. Malformed form data can cause the server process to crash due to excessive memory allocation, resulting in denial of service. Only applications using both experimental.remoteFunctions a...