SvelteKit 安全漏洞

SvelteKit is an open-source web development framework developed in Svelte. Versions of SvelteKit prior to 2.57.1 contained security vulnerabilities. These vulnerabilities stemmed from a scenario where requests could bypass the BODYSIZELIMIT, potentially leading to denial-of-service attacks...

Allocation of Resources Without Limits or Throttling

Overview @sveltejs/kit is a SvelteKit framework and CLI Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the remote form deserialization. An attacker can cause excessive memory allocation and crash the server process by submitting...

CVE-2025-67647

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery SSRF and denial of service DoS under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when...

CVE-2026-22803 SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate...

Memory Allocation with Excessive Size Value

Overview @sveltejs/kit is a SvelteKit framework and CLI Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the deserializebinaryform function via Remote Form endpoint. An attacker can cause excessive memory allocation by sending a specially crafted...

PT-2026-3094

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate...

Insertion of Sensitive Information Into Sent Data

Overview @sentry/sveltekit is an Official Sentry SDK for SvelteKit Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the sendDefaultPii configuration option. An attacker can gain access to sensitive HTTP headers, such as authentication...

SvelteKit 安全漏洞

SvelteKit is a set of Svelte open source web development framework. A security vulnerability exists in SvelteKit 2.27.3 and earlier versions, which stems from prototype contamination in the parseFormData function in formData.js, which could lead to a denial of service, type obfuscation, and...

EUVD-2025-11140

Malicious code in bioql PyPI...

EUVD-2024-3380

Malicious code in bioql PyPI...

CVE-2024-53261

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. "Unsanitized input from the request URL flows into end, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack XSS." The files...

CVE-2025-32388

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can explo...

CVE-2025-32388

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can explo...

CVE-2025-32388 SvelteKit allows XSS via tracked search_params

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can explo...

GHSA-6Q87-84JW-CJHP @sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params

Summary Unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL. Details SvelteKit tracks...

@2077collective/persona (>=0.0.1 <=0.0.3), @acudac/md3-svelte (>=1.1.2 <=1.1.19) +401 more potentially affected by CVE-2024-53261 via @sveltejs/kit (>=1.0.0-next.100 <=2.8.1)

@sveltejs/kit NPM version =1.0.0-next.100, =0.0.1, =1.1.2, =1.0.1, =1.0.4, =1.0.0, =1.0.0, =1.0.0, =1.0.183, =0.0.1, =0.3.0, =0.5.7, =0.0.1-alpha.1, =0.6.1, =0.0.7, =0.0.9, =0.43.1 and more Source cves: CVE-2024-53261 Source advisory: OSV:GHSA-RJJV-87MX-6X3H...

@affinity-lab/sk-messaging (>=1.0.4 <=1.0.5), @affinity-lab/sk-mik-id-sso-client (>=1.0.0 <=1.0.1) +36 more potentially affected by CVE-2023-29008 via @sveltejs/kit (>=1.0.0-next.100 <=1.13.0)

@sveltejs/kit NPM version =1.0.0-next.100, =1.0.4, =1.0.0, =1.0.0, =1.0.0, =1.1.9, =2.2.3-beta.1, =0.0.0-0d3aa317, =1.1.0, =1.0.3, =1.0.0, =1.0.3 - @medyll/slotui =0.1.61 and more Source cves: CVE-2023-29008 Source advisory: OSV:GHSA-GV7G-X59X-WF8F...