Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
10 vulnerabilities found for kit by svelte
CVE-2026-40074 (GCVE-0-2026-40074)
Vulnerability from nvd – Published: 2026-04-10 16:26 – Updated: 2026-04-14 14:17
VLAI?
Title
SvelteKit's invalidated redirect in handle hook causes Denial-of-Service
Summary
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1.
Severity ?
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40074",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T14:17:18.734745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T14:17:29.422Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kit",
"vendor": "sveltejs",
"versions": [
{
"status": "affected",
"version": "\u003c 2.57.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T16:26:07.068Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx"
},
{
"name": "https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd"
},
{
"name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1"
}
],
"source": {
"advisory": "GHSA-3f6h-2hrp-w5wx",
"discovery": "UNKNOWN"
},
"title": "SvelteKit\u0027s invalidated redirect in handle hook causes Denial-of-Service"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40074",
"datePublished": "2026-04-10T16:26:07.068Z",
"dateReserved": "2026-04-09T00:39:12.205Z",
"dateUpdated": "2026-04-14T14:17:29.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40073 (GCVE-0-2026-40073)
Vulnerability from nvd – Published: 2026-04-10 16:24 – Updated: 2026-04-13 15:36
VLAI?
Title
SvelteKit has a BODY_SIZE_LIMIT bypass in @sveltejs/adapter-node
Summary
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.
Severity ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40073",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T15:04:15.946303Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T15:36:57.412Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kit",
"vendor": "sveltejs",
"versions": [
{
"status": "affected",
"version": "\u003c 2.57.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T16:24:39.987Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp"
},
{
"name": "https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95"
},
{
"name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1"
}
],
"source": {
"advisory": "GHSA-2crg-3p73-43xp",
"discovery": "UNKNOWN"
},
"title": "SvelteKit has a BODY_SIZE_LIMIT bypass in @sveltejs/adapter-node"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40073",
"datePublished": "2026-04-10T16:24:39.987Z",
"dateReserved": "2026-04-09T00:39:12.204Z",
"dateUpdated": "2026-04-13T15:36:57.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22803 (GCVE-0-2026-22803)
Vulnerability from nvd – Published: 2026-01-15 18:37 – Updated: 2026-01-15 19:06
VLAI?
Title
SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer
Summary
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5.
Severity ?
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22803",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-15T19:06:02.781041Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T19:06:13.528Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kit",
"vendor": "sveltejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.49.0, \u003c 2.49.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T18:37:57.831Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46"
},
{
"name": "https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5"
},
{
"name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1"
}
],
"source": {
"advisory": "GHSA-j2f3-wq62-6q46",
"discovery": "UNKNOWN"
},
"title": "SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22803",
"datePublished": "2026-01-15T18:37:57.831Z",
"dateReserved": "2026-01-09T22:50:10.287Z",
"dateUpdated": "2026-01-15T19:06:13.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67647 (GCVE-0-2025-67647)
Vulnerability from nvd – Published: 2026-01-15 18:33 – Updated: 2026-01-15 18:58
VLAI?
Title
SvelteKit Denial of service and possible SSRF when using prerendering
Summary
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5.
Severity ?
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67647",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-15T18:57:32.614460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T18:58:01.975Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kit",
"vendor": "sveltejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.19.0, \u003c 2.49.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:H/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T18:33:25.295Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4x62-9r35",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4x62-9r35"
},
{
"name": "https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226"
}
],
"source": {
"advisory": "GHSA-j62c-4x62-9r35",
"discovery": "UNKNOWN"
},
"title": "SvelteKit Denial of service and possible SSRF when using prerendering"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67647",
"datePublished": "2026-01-15T18:33:25.295Z",
"dateReserved": "2025-12-09T18:36:41.331Z",
"dateUpdated": "2026-01-15T18:58:01.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-23641 (GCVE-0-2024-23641)
Vulnerability from nvd – Published: 2024-01-24 16:56 – Updated: 2024-11-13 15:09
VLAI?
Title
Sending a GET or HEAD request with a body crashes SvelteKit
Summary
SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this happens, one must manually restart the app. `TRACE` requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. `@sveltejs/adapter-node` versions 2.1.2, 3.0.3, and 4.0.1 and `@sveltejs/kit` version 2.4.3 contain a patch for this issue.
Severity ?
7.5 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.315Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49"
},
{
"name": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23641",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-13T15:09:24.824860Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-13T15:09:39.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kit",
"vendor": "sveltejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.4.3"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.1.2"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.3"
},
{
"status": "affected",
"version": "= 4.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this happens, one must manually restart the app. `TRACE` requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. `@sveltejs/adapter-node` versions 2.1.2, 3.0.3, and 4.0.1 and `@sveltejs/kit` version 2.4.3 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-24T16:56:32.392Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49"
},
{
"name": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9"
}
],
"source": {
"advisory": "GHSA-g5m6-hxpp-fc49",
"discovery": "UNKNOWN"
},
"title": "Sending a GET or HEAD request with a body crashes SvelteKit"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23641",
"datePublished": "2024-01-24T16:56:32.392Z",
"dateReserved": "2024-01-19T00:18:53.233Z",
"dateUpdated": "2024-11-13T15:09:39.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-40074 (GCVE-0-2026-40074)
Vulnerability from cvelistv5 – Published: 2026-04-10 16:26 – Updated: 2026-04-14 14:17
VLAI?
Title
SvelteKit's invalidated redirect in handle hook causes Denial-of-Service
Summary
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1.
Severity ?
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40074",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T14:17:18.734745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T14:17:29.422Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kit",
"vendor": "sveltejs",
"versions": [
{
"status": "affected",
"version": "\u003c 2.57.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T16:26:07.068Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx"
},
{
"name": "https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd"
},
{
"name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1"
}
],
"source": {
"advisory": "GHSA-3f6h-2hrp-w5wx",
"discovery": "UNKNOWN"
},
"title": "SvelteKit\u0027s invalidated redirect in handle hook causes Denial-of-Service"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40074",
"datePublished": "2026-04-10T16:26:07.068Z",
"dateReserved": "2026-04-09T00:39:12.205Z",
"dateUpdated": "2026-04-14T14:17:29.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40073 (GCVE-0-2026-40073)
Vulnerability from cvelistv5 – Published: 2026-04-10 16:24 – Updated: 2026-04-13 15:36
VLAI?
Title
SvelteKit has a BODY_SIZE_LIMIT bypass in @sveltejs/adapter-node
Summary
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.
Severity ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40073",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T15:04:15.946303Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T15:36:57.412Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kit",
"vendor": "sveltejs",
"versions": [
{
"status": "affected",
"version": "\u003c 2.57.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T16:24:39.987Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp"
},
{
"name": "https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95"
},
{
"name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1"
}
],
"source": {
"advisory": "GHSA-2crg-3p73-43xp",
"discovery": "UNKNOWN"
},
"title": "SvelteKit has a BODY_SIZE_LIMIT bypass in @sveltejs/adapter-node"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40073",
"datePublished": "2026-04-10T16:24:39.987Z",
"dateReserved": "2026-04-09T00:39:12.204Z",
"dateUpdated": "2026-04-13T15:36:57.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22803 (GCVE-0-2026-22803)
Vulnerability from cvelistv5 – Published: 2026-01-15 18:37 – Updated: 2026-01-15 19:06
VLAI?
Title
SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer
Summary
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5.
Severity ?
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22803",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-15T19:06:02.781041Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T19:06:13.528Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kit",
"vendor": "sveltejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.49.0, \u003c 2.49.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T18:37:57.831Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46"
},
{
"name": "https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5"
},
{
"name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1"
}
],
"source": {
"advisory": "GHSA-j2f3-wq62-6q46",
"discovery": "UNKNOWN"
},
"title": "SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22803",
"datePublished": "2026-01-15T18:37:57.831Z",
"dateReserved": "2026-01-09T22:50:10.287Z",
"dateUpdated": "2026-01-15T19:06:13.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67647 (GCVE-0-2025-67647)
Vulnerability from cvelistv5 – Published: 2026-01-15 18:33 – Updated: 2026-01-15 18:58
VLAI?
Title
SvelteKit Denial of service and possible SSRF when using prerendering
Summary
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5.
Severity ?
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67647",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-15T18:57:32.614460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T18:58:01.975Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kit",
"vendor": "sveltejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.19.0, \u003c 2.49.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:H/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T18:33:25.295Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4x62-9r35",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4x62-9r35"
},
{
"name": "https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226"
}
],
"source": {
"advisory": "GHSA-j62c-4x62-9r35",
"discovery": "UNKNOWN"
},
"title": "SvelteKit Denial of service and possible SSRF when using prerendering"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67647",
"datePublished": "2026-01-15T18:33:25.295Z",
"dateReserved": "2025-12-09T18:36:41.331Z",
"dateUpdated": "2026-01-15T18:58:01.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-23641 (GCVE-0-2024-23641)
Vulnerability from cvelistv5 – Published: 2024-01-24 16:56 – Updated: 2024-11-13 15:09
VLAI?
Title
Sending a GET or HEAD request with a body crashes SvelteKit
Summary
SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this happens, one must manually restart the app. `TRACE` requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. `@sveltejs/adapter-node` versions 2.1.2, 3.0.3, and 4.0.1 and `@sveltejs/kit` version 2.4.3 contain a patch for this issue.
Severity ?
7.5 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.315Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49"
},
{
"name": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23641",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-13T15:09:24.824860Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-13T15:09:39.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kit",
"vendor": "sveltejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.4.3"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.1.2"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.3"
},
{
"status": "affected",
"version": "= 4.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this happens, one must manually restart the app. `TRACE` requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. `@sveltejs/adapter-node` versions 2.1.2, 3.0.3, and 4.0.1 and `@sveltejs/kit` version 2.4.3 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-24T16:56:32.392Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49"
},
{
"name": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9"
}
],
"source": {
"advisory": "GHSA-g5m6-hxpp-fc49",
"discovery": "UNKNOWN"
},
"title": "Sending a GET or HEAD request with a body crashes SvelteKit"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23641",
"datePublished": "2024-01-24T16:56:32.392Z",
"dateReserved": "2024-01-19T00:18:53.233Z",
"dateUpdated": "2024-11-13T15:09:39.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}