@sveltejs/kit is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists in the negotiate
function of http.js
due to the case-insensitive comparison when checking the header value, which allows an attacker to execute operations within the victim’s session, leading to unauthorized access to user accounts.