5 matches found
CVE-2024-23641
CVE-2024-23641 affects SvelteKit 2 apps when handling HTTP GET/HEAD requests with a body (e.g., {})—these requests crash the preview/hosted app, including TRACE, causing DoS. The issue specifically impacts deployments using @sveltejs/adapter-node versions 2.1.2, 3.0.3, or 4.0.1 and @sveltejs/kit ...
CVE-2026-40073
SvelteKit (framework for building web apps with Svelte) contains a vulnerability in adapter-node prior to version 2.57.1 where, under certain conditions, requests could bypass the BODY_SIZE_LIMIT. The issue is scoped to SvelteKit applications using adapter-node and does not affect body size limit...
CVE-2025-67647
CVE-2025-67647 affects SvelteKit. Before 2.49.5, it allows server-side request forgery (SSRF) and DoS under prerender conditions. From 2.44.0 to 2.49.4, a DoS can occur if at least one prerendered route exists (export const prerender = true). From 2.19.0 to 2.49.4, DoS/SSRF can occur when there i...
CVE-2026-40074
CVE-2026-40074 affects SvelteKit. The issue is an unhandled TypeError in redirect() when called from the handle hook with a location containing characters invalid in HTTP headers, leading to potential DoS. Vulnerable in all versions before 2.57.1; fixed in 2.57.1. Remediation: upgrade to 2.57.1 o...
CVE-2026-22803
CVE-2026-22803 affects SvelteKit. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary format for submitted data, and a crafted payload can trigger unbounded memory allocation, causing a DoS via memory exhaustion. This is fixed in 2.49.5. Impact is memory exhaustion of the s...