Cross-Site Scripting (XSS)

@sveltejs/kit is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper handling of user-controlled input in the error message. Specifically, the placeholders in error.html are replaced with content without escaping, which can allow malicious content to be injected and...

Denial Of Service (DoS)

sveltejs/kit is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of HTTP GET and TRACE requests that include a empty body. When such requests are received, the application throws an error stating "Request with GET/HEAD method cannot have body" and subsequently...

CVE-2024-23641 Sending a GET or HEAD request with a body crashes SvelteKit

SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg to a built and previewed/hosted sveltekit app throws Request with GET/HEAD method cannot have body. and crashes the preview/hosting. After this happens, one must manually restart the app. TRACE requests will...

CVE-2024-23641

CVE-2024-23641 affects SvelteKit 2 apps when handling HTTP GET/HEAD requests with a body (e.g., {})—these requests crash the preview/hosted app, including TRACE, causing DoS. The issue specifically impacts deployments using @sveltejs/adapter-node versions 2.1.2, 3.0.3, or 4.0.1 and @sveltejs/kit ...

CVE-2024-23641 Sending a GET or HEAD request with a body crashes SvelteKit

SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg to a built and previewed/hosted sveltekit app throws Request with GET/HEAD method cannot have body. and crashes the preview/hosting. After this happens, one must manually restart the app. TRACE requests will...

CVE-2024-23641 Sending a GET or HEAD request with a body crashes SvelteKit

SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg to a built and previewed/hosted sveltekit app throws Request with GET/HEAD method cannot have body. and crashes the preview/hosting. After this happens, one must manually restart the app. TRACE requests will...

Cross-Site Request Forgery (CSRF)

@sveltejs/kit is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability exists in the negotiate function of http.js due to the case-insensitive comparison when checking the header value, which allows an attacker to execute operations within the victim's session, leading to unauthorized...

Cross-Site Request Forgery

@sveltejs/kit is vulnerable to Cross-Site Request Forgery CSRF. Malicious requests can be submitted from third-party domains, which allows an attacker to execute operations within the victim's session via bypassing CSRF protection by specifying a Content-Type header value such as text/plain,...