Search

Find a vulnerability

Search criteria

    10 vulnerabilities found for kit by svelte

    CVE-2026-40074 (GCVE-0-2026-40074)

    Vulnerability from nvd – Published: 2026-04-10 16:26 – Updated: 2026-04-14 14:17
    VLAI
    Title
    SvelteKit's invalidated redirect in handle hook causes Denial-of-Service
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-755 - Improper Handling of Exceptional Conditions
    Assigner
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: < 2.57.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40074",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-14T14:17:18.734745Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-14T14:17:29.422Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.57.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-755",
                  "description": "CWE-755: Improper Handling of Exceptional Conditions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-10T16:26:07.068Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd"
            },
            {
              "name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1"
            }
          ],
          "source": {
            "advisory": "GHSA-3f6h-2hrp-w5wx",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit\u0027s invalidated redirect in handle hook causes Denial-of-Service"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40074",
        "datePublished": "2026-04-10T16:26:07.068Z",
        "dateReserved": "2026-04-09T00:39:12.205Z",
        "dateUpdated": "2026-04-14T14:17:29.422Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40073 (GCVE-0-2026-40073)

    Vulnerability from nvd – Published: 2026-04-10 16:24 – Updated: 2026-04-13 15:36
    VLAI
    Title
    SvelteKit has a BODY_SIZE_LIMIT bypass in @sveltejs/adapter-node
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: < 2.57.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40073",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-13T15:04:15.946303Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-13T15:36:57.412Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.57.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-10T16:24:39.987Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95"
            },
            {
              "name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1"
            }
          ],
          "source": {
            "advisory": "GHSA-2crg-3p73-43xp",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit has a BODY_SIZE_LIMIT bypass in @sveltejs/adapter-node"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40073",
        "datePublished": "2026-04-10T16:24:39.987Z",
        "dateReserved": "2026-04-09T00:39:12.204Z",
        "dateUpdated": "2026-04-13T15:36:57.412Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22803 (GCVE-0-2026-22803)

    Vulnerability from nvd – Published: 2026-01-15 18:37 – Updated: 2026-01-15 19:06
    VLAI
    Title
    SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: >= 2.49.0, < 2.49.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22803",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-15T19:06:02.781041Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-15T19:06:13.528Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.49.0, \u003c 2.49.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-15T18:37:57.831Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5"
            },
            {
              "name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1"
            }
          ],
          "source": {
            "advisory": "GHSA-j2f3-wq62-6q46",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-22803",
        "datePublished": "2026-01-15T18:37:57.831Z",
        "dateReserved": "2026-01-09T22:50:10.287Z",
        "dateUpdated": "2026-01-15T19:06:13.528Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-67647 (GCVE-0-2025-67647)

    Vulnerability from nvd – Published: 2026-01-15 18:33 – Updated: 2026-01-15 18:58
    VLAI
    Title
    SvelteKit Denial of service and possible SSRF when using prerendering
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-248 - Uncaught Exception
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: >= 2.19.0, < 2.49.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-67647",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-15T18:57:32.614460Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-15T18:58:01.975Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.19.0, \u003c 2.49.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:H/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-248",
                  "description": "CWE-248: Uncaught Exception",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-15T18:33:25.295Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4x62-9r35",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4x62-9r35"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226"
            }
          ],
          "source": {
            "advisory": "GHSA-j62c-4x62-9r35",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit Denial of service and possible SSRF when using prerendering"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-67647",
        "datePublished": "2026-01-15T18:33:25.295Z",
        "dateReserved": "2025-12-09T18:36:41.331Z",
        "dateUpdated": "2026-01-15T18:58:01.975Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-23641 (GCVE-0-2024-23641)

    Vulnerability from nvd – Published: 2024-01-24 16:56 – Updated: 2024-11-13 15:09
    VLAI
    Title
    Sending a GET or HEAD request with a body crashes SvelteKit
    Summary
    SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this happens, one must manually restart the app. `TRACE` requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. `@sveltejs/adapter-node` versions 2.1.2, 3.0.3, and 4.0.1 and `@sveltejs/kit` version 2.4.3 contain a patch for this issue.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: >= 2.0.0, < 2.4.3
    Affected: >= 2.0.0, < 2.1.2
    Affected: >= 3.0.0, < 3.0.3
    Affected: = 4.0.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:06:25.315Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49"
              },
              {
                "name": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23641",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-13T15:09:24.824860Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-13T15:09:39.781Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 2.4.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 2.1.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.0.3"
                },
                {
                  "status": "affected",
                  "version": "= 4.0.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this happens, one must manually restart the app. `TRACE` requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. `@sveltejs/adapter-node` versions 2.1.2, 3.0.3, and 4.0.1 and `@sveltejs/kit` version 2.4.3 contain a patch for this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-24T16:56:32.392Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9"
            }
          ],
          "source": {
            "advisory": "GHSA-g5m6-hxpp-fc49",
            "discovery": "UNKNOWN"
          },
          "title": "Sending a GET or HEAD request with a body crashes SvelteKit"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-23641",
        "datePublished": "2024-01-24T16:56:32.392Z",
        "dateReserved": "2024-01-19T00:18:53.233Z",
        "dateUpdated": "2024-11-13T15:09:39.781Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-40074 (GCVE-0-2026-40074)

    Vulnerability from cvelistv5 – Published: 2026-04-10 16:26 – Updated: 2026-04-14 14:17
    VLAI
    Title
    SvelteKit's invalidated redirect in handle hook causes Denial-of-Service
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-755 - Improper Handling of Exceptional Conditions
    Assigner
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: < 2.57.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40074",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-14T14:17:18.734745Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-14T14:17:29.422Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.57.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-755",
                  "description": "CWE-755: Improper Handling of Exceptional Conditions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-10T16:26:07.068Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd"
            },
            {
              "name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1"
            }
          ],
          "source": {
            "advisory": "GHSA-3f6h-2hrp-w5wx",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit\u0027s invalidated redirect in handle hook causes Denial-of-Service"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40074",
        "datePublished": "2026-04-10T16:26:07.068Z",
        "dateReserved": "2026-04-09T00:39:12.205Z",
        "dateUpdated": "2026-04-14T14:17:29.422Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40073 (GCVE-0-2026-40073)

    Vulnerability from cvelistv5 – Published: 2026-04-10 16:24 – Updated: 2026-04-13 15:36
    VLAI
    Title
    SvelteKit has a BODY_SIZE_LIMIT bypass in @sveltejs/adapter-node
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: < 2.57.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40073",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-13T15:04:15.946303Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-13T15:36:57.412Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.57.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-10T16:24:39.987Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95"
            },
            {
              "name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1"
            }
          ],
          "source": {
            "advisory": "GHSA-2crg-3p73-43xp",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit has a BODY_SIZE_LIMIT bypass in @sveltejs/adapter-node"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40073",
        "datePublished": "2026-04-10T16:24:39.987Z",
        "dateReserved": "2026-04-09T00:39:12.204Z",
        "dateUpdated": "2026-04-13T15:36:57.412Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22803 (GCVE-0-2026-22803)

    Vulnerability from cvelistv5 – Published: 2026-01-15 18:37 – Updated: 2026-01-15 19:06
    VLAI
    Title
    SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: >= 2.49.0, < 2.49.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22803",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-15T19:06:02.781041Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-15T19:06:13.528Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.49.0, \u003c 2.49.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-15T18:37:57.831Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5"
            },
            {
              "name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1"
            }
          ],
          "source": {
            "advisory": "GHSA-j2f3-wq62-6q46",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-22803",
        "datePublished": "2026-01-15T18:37:57.831Z",
        "dateReserved": "2026-01-09T22:50:10.287Z",
        "dateUpdated": "2026-01-15T19:06:13.528Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-67647 (GCVE-0-2025-67647)

    Vulnerability from cvelistv5 – Published: 2026-01-15 18:33 – Updated: 2026-01-15 18:58
    VLAI
    Title
    SvelteKit Denial of service and possible SSRF when using prerendering
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-248 - Uncaught Exception
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: >= 2.19.0, < 2.49.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-67647",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-15T18:57:32.614460Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-15T18:58:01.975Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.19.0, \u003c 2.49.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:H/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-248",
                  "description": "CWE-248: Uncaught Exception",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-15T18:33:25.295Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4x62-9r35",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4x62-9r35"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226"
            }
          ],
          "source": {
            "advisory": "GHSA-j62c-4x62-9r35",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit Denial of service and possible SSRF when using prerendering"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-67647",
        "datePublished": "2026-01-15T18:33:25.295Z",
        "dateReserved": "2025-12-09T18:36:41.331Z",
        "dateUpdated": "2026-01-15T18:58:01.975Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-23641 (GCVE-0-2024-23641)

    Vulnerability from cvelistv5 – Published: 2024-01-24 16:56 – Updated: 2024-11-13 15:09
    VLAI
    Title
    Sending a GET or HEAD request with a body crashes SvelteKit
    Summary
    SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this happens, one must manually restart the app. `TRACE` requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. `@sveltejs/adapter-node` versions 2.1.2, 3.0.3, and 4.0.1 and `@sveltejs/kit` version 2.4.3 contain a patch for this issue.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: >= 2.0.0, < 2.4.3
    Affected: >= 2.0.0, < 2.1.2
    Affected: >= 3.0.0, < 3.0.3
    Affected: = 4.0.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:06:25.315Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49"
              },
              {
                "name": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23641",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-13T15:09:24.824860Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-13T15:09:39.781Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 2.4.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 2.1.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.0.3"
                },
                {
                  "status": "affected",
                  "version": "= 4.0.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this happens, one must manually restart the app. `TRACE` requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. `@sveltejs/adapter-node` versions 2.1.2, 3.0.3, and 4.0.1 and `@sveltejs/kit` version 2.4.3 contain a patch for this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-24T16:56:32.392Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9"
            }
          ],
          "source": {
            "advisory": "GHSA-g5m6-hxpp-fc49",
            "discovery": "UNKNOWN"
          },
          "title": "Sending a GET or HEAD request with a body crashes SvelteKit"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-23641",
        "datePublished": "2024-01-24T16:56:32.392Z",
        "dateReserved": "2024-01-19T00:18:53.233Z",
        "dateUpdated": "2024-11-13T15:09:39.781Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }