SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only)

Some relatively small inputs can cause very large files arrays in form handlers. If the SvelteKit application code doesn't check files.length or individual files' sizes and performs expensive processing with them, it can result in Denial of Service. Only users with experimental.remoteFunctions:...

CPU exhaustion in SvelteKit remote form deserialization (experimental only)

Versions of @sveltejs/kit prior to 2.52.2 with remote functions enabled are vulnerable to CPU exhaustion. Malformed form data can cause the server to become unresponsive while processing a request, resulting in denial of service. Only applications using both experimental.remoteFunctions and form...

GHSA-88QP-P4QG-RQM6 CPU exhaustion in SvelteKit remote form deserialization (experimental only)

Versions of @sveltejs/kit prior to 2.52.2 with remote functions enabled are vulnerable to CPU exhaustion. Malformed form data can cause the server to become unresponsive while processing a request, resulting in denial of service. Only applications using both experimental.remoteFunctions and form...

Access of Resource Using Incompatible Type ('Type Confusion')

Overview @sveltejs/kit is a SvelteKit framework and CLI Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type 'Type Confusion' via the remote form deserialization. An attacker can cause the server to become unresponsive and exhaust CPU resources by...

Allocation of Resources Without Limits or Throttling

Overview @sveltejs/kit is a SvelteKit framework and CLI Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the remote form deserialization. An attacker can cause excessive memory allocation and crash the server process by submitting...

GHSA-VRHM-GVG7-FPCF Memory exhaustion in SvelteKit remote form deserialization (experimental only)

Versions of @sveltejs/kit prior to 2.52.2 with remote functions enabled can be vulnerable to memory exhaustion. Malformed form data can cause the server process to crash due to excessive memory allocation, resulting in denial of service. Only applications using both experimental.remoteFunctions a...

CVE-2024-12877

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.2 via deserialization of untrusted input from the donation form like 'firstName'. This makes it possible for unauthenticated attackers to...