24 matches found
Allocation of Resources Without Limits or Throttling
Overview @sveltejs/kit is a SvelteKit framework and CLI Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the deserializebinaryform function in the remote form handler. An attacker can exhaust application resources by sending crafted bina...
GHSA-FPG4-JHQR-589C SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only)
Some relatively small inputs can cause very large files arrays in form handlers. If the SvelteKit application code doesn't check files.length or individual files' sizes and performs expensive processing with them, it can result in Denial of Service. Only users with experimental.remoteFunctions:...
SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only)
Some relatively small inputs can cause very large files arrays in form handlers. If the SvelteKit application code doesn't check files.length or individual files' sizes and performs expensive processing with them, it can result in Denial of Service. Only users with experimental.remoteFunctions:...
CPU exhaustion in SvelteKit remote form deserialization (experimental only)
Versions of @sveltejs/kit prior to 2.52.2 with remote functions enabled are vulnerable to CPU exhaustion. Malformed form data can cause the server to become unresponsive while processing a request, resulting in denial of service. Only applications using both experimental.remoteFunctions and form...
GHSA-88QP-P4QG-RQM6 CPU exhaustion in SvelteKit remote form deserialization (experimental only)
Versions of @sveltejs/kit prior to 2.52.2 with remote functions enabled are vulnerable to CPU exhaustion. Malformed form data can cause the server to become unresponsive while processing a request, resulting in denial of service. Only applications using both experimental.remoteFunctions and form...
Access of Resource Using Incompatible Type ('Type Confusion')
Overview @sveltejs/kit is a SvelteKit framework and CLI Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type 'Type Confusion' via the remote form deserialization. An attacker can cause the server to become unresponsive and exhaust CPU resources by...
Allocation of Resources Without Limits or Throttling
Overview @sveltejs/kit is a SvelteKit framework and CLI Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the remote form deserialization. An attacker can cause excessive memory allocation and crash the server process by submitting...
Memory exhaustion in SvelteKit remote form deserialization (experimental only)
Versions of @sveltejs/kit prior to 2.52.2 with remote functions enabled can be vulnerable to memory exhaustion. Malformed form data can cause the server process to crash due to excessive memory allocation, resulting in denial of service. Only applications using both experimental.remoteFunctions a...
GHSA-VRHM-GVG7-FPCF Memory exhaustion in SvelteKit remote form deserialization (experimental only)
Versions of @sveltejs/kit prior to 2.52.2 with remote functions enabled can be vulnerable to memory exhaustion. Malformed form data can cause the server process to crash due to excessive memory allocation, resulting in denial of service. Only applications using both experimental.remoteFunctions a...
CVE-2026-22803
CVE-2026-22803 affects SvelteKit. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary format for submitted data, and a crafted payload can trigger unbounded memory allocation, causing a DoS via memory exhaustion. This is fixed in 2.49.5. Impact is memory exhaustion of the s...
CVE-2026-22803 SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate...
CVE-2026-22803 SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate...
GHSA-J2F3-WQ62-6Q46 @sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sveltekit-formdata)
Summary The experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. Details When a form is submitted to a remote functi...
@sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sveltekit-formdata)
Summary The experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. Details When a form is submitted to a remote functi...
SvelteKit security vulnerabilities
SvelteKit is an open-source web development framework developed in Svelte. Versions 2.49.0 to 2.49.4 of SvelteKit contain security vulnerabilities. These vulnerabilities stem from improper handling of special payloads by experimental form-based remote functions, which may lead to a memory...
EUVD-2020-19706
Malware in sbrugna...
CVE-2020-27183
A RemoteFunctions endpoint with missing access control in konzept-ix publiXone before 2020.015 allows attackers to disclose sensitive user information, send arbitrary e-mails, escalate the privileges of arbitrary user accounts, and have unspecified other impact...
CVE-2020-6198
SAP Solution Manager Diagnostics Agent, version 720, allows unencrypted connections from unauthenticated sources. This allows an attacker to control all remote functions on the Agent due to Missing Authentication Check...
Festo MSE6-C2M/D2M/E2M
SUMMARY Incomplete user documentation of undocumented, authenticated test mode and further remote accessible functions. The supported features may be covered only partly by the corresponding user documentation. Festo developed the products according to the respective state of the art. As a...
CVE-2022-3270 Incomplete Documentation of remote functions in FESTO products.
In multiple products by Festo a remote unauthenticated attacker could use functions of an undocumented protocol which could lead to a complete loss of confidentiality, integrity and availability...