Search

Find a vulnerability

Search criteria

    22 vulnerabilities found for kit by sveltejs

    CVE-2026-40074 (GCVE-0-2026-40074)

    Vulnerability from nvd – Published: 2026-04-10 16:26 – Updated: 2026-04-14 14:17
    VLAI
    Title
    SvelteKit's invalidated redirect in handle hook causes Denial-of-Service
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-755 - Improper Handling of Exceptional Conditions
    Assigner
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: < 2.57.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40074",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-14T14:17:18.734745Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-14T14:17:29.422Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.57.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-755",
                  "description": "CWE-755: Improper Handling of Exceptional Conditions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-10T16:26:07.068Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd"
            },
            {
              "name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1"
            }
          ],
          "source": {
            "advisory": "GHSA-3f6h-2hrp-w5wx",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit\u0027s invalidated redirect in handle hook causes Denial-of-Service"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40074",
        "datePublished": "2026-04-10T16:26:07.068Z",
        "dateReserved": "2026-04-09T00:39:12.205Z",
        "dateUpdated": "2026-04-14T14:17:29.422Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40073 (GCVE-0-2026-40073)

    Vulnerability from nvd – Published: 2026-04-10 16:24 – Updated: 2026-04-13 15:36
    VLAI
    Title
    SvelteKit has a BODY_SIZE_LIMIT bypass in @sveltejs/adapter-node
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: < 2.57.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40073",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-13T15:04:15.946303Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-13T15:36:57.412Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.57.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-10T16:24:39.987Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95"
            },
            {
              "name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1"
            }
          ],
          "source": {
            "advisory": "GHSA-2crg-3p73-43xp",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit has a BODY_SIZE_LIMIT bypass in @sveltejs/adapter-node"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40073",
        "datePublished": "2026-04-10T16:24:39.987Z",
        "dateReserved": "2026-04-09T00:39:12.204Z",
        "dateUpdated": "2026-04-13T15:36:57.412Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-27118 (GCVE-0-2026-27118)

    Vulnerability from nvd – Published: 2026-02-20 21:24 – Updated: 2026-02-24 18:42
    VLAI
    Title
    Cache poisoning in @sveltejs/adapter-vercel
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users. Successful exploitation requires a victim to visit an attacker-controlled link while authenticated. Existing deployments are protected by Vercel's WAF, but users should upgrade as soon as possible. This vulnerability is fixed in 6.3.2.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-346 - Origin Validation Error
    Assigner
    References
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: < 6.3.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-27118",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-24T18:41:44.555338Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-24T18:42:11.028Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 6.3.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users. Successful exploitation requires a victim to visit an attacker-controlled link while authenticated. Existing deployments are protected by Vercel\u0027s WAF, but users should upgrade as soon as possible. This vulnerability is fixed in 6.3.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-346",
                  "description": "CWE-346: Origin Validation Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-20T21:24:55.577Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-9pq4-5hcf-288c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-9pq4-5hcf-288c"
            }
          ],
          "source": {
            "advisory": "GHSA-9pq4-5hcf-288c",
            "discovery": "UNKNOWN"
          },
          "title": "Cache poisoning in @sveltejs/adapter-vercel"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-27118",
        "datePublished": "2026-02-20T21:24:55.577Z",
        "dateReserved": "2026-02-17T18:42:27.043Z",
        "dateUpdated": "2026-02-24T18:42:11.028Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22803 (GCVE-0-2026-22803)

    Vulnerability from nvd – Published: 2026-01-15 18:37 – Updated: 2026-01-15 19:06
    VLAI
    Title
    SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: >= 2.49.0, < 2.49.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22803",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-15T19:06:02.781041Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-15T19:06:13.528Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.49.0, \u003c 2.49.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-15T18:37:57.831Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5"
            },
            {
              "name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1"
            }
          ],
          "source": {
            "advisory": "GHSA-j2f3-wq62-6q46",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-22803",
        "datePublished": "2026-01-15T18:37:57.831Z",
        "dateReserved": "2026-01-09T22:50:10.287Z",
        "dateUpdated": "2026-01-15T19:06:13.528Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-67647 (GCVE-0-2025-67647)

    Vulnerability from nvd – Published: 2026-01-15 18:33 – Updated: 2026-01-15 18:58
    VLAI
    Title
    SvelteKit Denial of service and possible SSRF when using prerendering
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-248 - Uncaught Exception
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: >= 2.19.0, < 2.49.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-67647",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-15T18:57:32.614460Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-15T18:58:01.975Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.19.0, \u003c 2.49.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:H/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-248",
                  "description": "CWE-248: Uncaught Exception",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-15T18:33:25.295Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4x62-9r35",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4x62-9r35"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226"
            }
          ],
          "source": {
            "advisory": "GHSA-j62c-4x62-9r35",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit Denial of service and possible SSRF when using prerendering"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-67647",
        "datePublished": "2026-01-15T18:33:25.295Z",
        "dateReserved": "2025-12-09T18:36:41.331Z",
        "dateUpdated": "2026-01-15T18:58:01.975Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-32388 (GCVE-0-2025-32388)

    Vulnerability from nvd – Published: 2025-04-15 22:32 – Updated: 2025-04-16 13:33
    VLAI
    Title
    SvelteKit allows XSS via tracked search_params
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL. This vulnerability is fixed in 2.20.6.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: >= 2.0.0, < 2.20.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-32388",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T13:33:24.850741Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T13:33:47.383Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 2.20.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL. This vulnerability is fixed in 2.20.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-15T22:32:06.059Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-6q87-84jw-cjhp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-6q87-84jw-cjhp"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/d3300c6a67908590266c363dba7b0835d9a194cf",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/d3300c6a67908590266c363dba7b0835d9a194cf"
            },
            {
              "name": "https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.20.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.20.6"
            }
          ],
          "source": {
            "advisory": "GHSA-6q87-84jw-cjhp",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit allows XSS via tracked search_params"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-32388",
        "datePublished": "2025-04-15T22:32:06.059Z",
        "dateReserved": "2025-04-06T19:46:02.463Z",
        "dateUpdated": "2025-04-16T13:33:47.383Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-53262 (GCVE-0-2024-53262)

    Vulnerability from nvd – Published: 2024-11-25 19:07 – Updated: 2024-11-25 20:24
    VLAI
    Title
    Unescaped error message included on error page in SvelteKit
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else fails. It can contain the following placeholders: %sveltekit.status% — the HTTP status, and %sveltekit.error.message% — the error message. This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content. Only applications where user provided input is used in the `Error` message will be vulnerable, so the vast majority of applications will not be vulnerable This issue has been addressed in version 2.8.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: < 2.8.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-53262",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-25T20:23:50.461446Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-25T20:24:05.750Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.8.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else fails. It can contain the following placeholders: %sveltekit.status% \u2014 the HTTP status, and %sveltekit.error.message% \u2014 the error message.  This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content. Only applications where user provided input is used in the `Error` message will be vulnerable, so the vast majority of applications will not be vulnerable This issue has been addressed in version 2.8.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-25T19:07:20.317Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-mh2x-fcqh-fmqv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-mh2x-fcqh-fmqv"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/134e36343ef57ed7e6e2b3bb9e7f05ad37865794",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/134e36343ef57ed7e6e2b3bb9e7f05ad37865794"
            },
            {
              "name": "https://kit.svelte.dev/docs/errors",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://kit.svelte.dev/docs/errors"
            }
          ],
          "source": {
            "advisory": "GHSA-mh2x-fcqh-fmqv",
            "discovery": "UNKNOWN"
          },
          "title": "Unescaped error message included on error page in SvelteKit"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-53262",
        "datePublished": "2024-11-25T19:07:20.317Z",
        "dateReserved": "2024-11-19T20:08:14.481Z",
        "dateUpdated": "2024-11-25T20:24:05.750Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-53261 (GCVE-0-2024-53261)

    Vulnerability from nvd – Published: 2024-11-25 19:15 – Updated: 2024-11-25 20:04
    VLAI
    Title
    Cross-Site Scripting attack (XSS) on dev mode 404 page in SvelteKit
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. "Unsanitized input from *the request URL* flows into `end`, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)." The files `packages/kit/src/exports/vite/dev/index.js` and `packages/kit/src/exports/vite/utils.js` both contain user controllable data which under specific conditions may flow to dev mode pages. There is little to no expected impact. The Vite development is not exposed to the network by default and even if someone were able to trick a developer into executing an XSS against themselves, a development database should not have any sensitive data. None the less this issue has been addressed in version 2.8.3 and all users are advised to upgrade.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: < 2.8.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-53261",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-25T20:01:35.408501Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-25T20:04:36.967Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.8.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. \"Unsanitized input from *the request URL* flows into `end`, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).\" The files `packages/kit/src/exports/vite/dev/index.js` and `packages/kit/src/exports/vite/utils.js` both contain user controllable data which under specific conditions may flow to dev mode pages. There is little to no expected impact. The Vite development is not exposed to the network by default and even if someone were able to trick a developer into executing an XSS against themselves, a development database should not have any sensitive data. None the less this issue has been addressed in version 2.8.3 and all users are advised to upgrade."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-25T19:15:28.233Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-rjjv-87mx-6x3h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-rjjv-87mx-6x3h"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/d338d4635a7fd947ba5112df6ee632c4a0979438",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/d338d4635a7fd947ba5112df6ee632c4a0979438"
            }
          ],
          "source": {
            "advisory": "GHSA-rjjv-87mx-6x3h",
            "discovery": "UNKNOWN"
          },
          "title": "Cross-Site Scripting attack (XSS) on dev mode 404 page in SvelteKit"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-53261",
        "datePublished": "2024-11-25T19:15:28.233Z",
        "dateReserved": "2024-11-19T20:08:14.480Z",
        "dateUpdated": "2024-11-25T20:04:36.967Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-23641 (GCVE-0-2024-23641)

    Vulnerability from nvd – Published: 2024-01-24 16:56 – Updated: 2024-11-13 15:09
    VLAI
    Title
    Sending a GET or HEAD request with a body crashes SvelteKit
    Summary
    SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this happens, one must manually restart the app. `TRACE` requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. `@sveltejs/adapter-node` versions 2.1.2, 3.0.3, and 4.0.1 and `@sveltejs/kit` version 2.4.3 contain a patch for this issue.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: >= 2.0.0, < 2.4.3
    Affected: >= 2.0.0, < 2.1.2
    Affected: >= 3.0.0, < 3.0.3
    Affected: = 4.0.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:06:25.315Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49"
              },
              {
                "name": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23641",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-13T15:09:24.824860Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-13T15:09:39.781Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 2.4.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 2.1.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.0.3"
                },
                {
                  "status": "affected",
                  "version": "= 4.0.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this happens, one must manually restart the app. `TRACE` requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. `@sveltejs/adapter-node` versions 2.1.2, 3.0.3, and 4.0.1 and `@sveltejs/kit` version 2.4.3 contain a patch for this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-24T16:56:32.392Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9"
            }
          ],
          "source": {
            "advisory": "GHSA-g5m6-hxpp-fc49",
            "discovery": "UNKNOWN"
          },
          "title": "Sending a GET or HEAD request with a body crashes SvelteKit"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-23641",
        "datePublished": "2024-01-24T16:56:32.392Z",
        "dateReserved": "2024-01-19T00:18:53.233Z",
        "dateUpdated": "2024-11-13T15:09:39.781Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-29008 (GCVE-0-2023-29008)

    Vulnerability from nvd – Published: 2023-04-06 16:36 – Updated: 2025-02-10 16:26
    VLAI
    Title
    SvelteKit framework has Insufficient CSRF protection for CORS requests
    Summary
    The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. The protection is implemented at `kit/src/runtime/server/respond.js`. While the implementation does a sufficient job of mitigating common CSRF attacks, the protection can be bypassed in versions prior to 1.15.2 by simply specifying an upper-cased `Content-Type` header value. The browser will not send uppercase characters, but this check does not block all expected CORS requests. If abused, this issue will allow malicious requests to be submitted from third-party domains, which can allow execution of operations within the context of the victim's session, and in extreme scenarios can lead to unauthorized access to users’ accounts. This may lead to all POST operations requiring authentication being allowed in the following cases: If the target site sets `SameSite=None` on its auth cookie and the user visits a malicious site in a Chromium-based browser; if the target site doesn't set the `SameSite` attribute explicitly and the user visits a malicious site with Firefox/Safari with tracking protections turned off; and/or if the user is visiting a malicious site with a very outdated browser. SvelteKit 1.15.2 contains a patch for this issue. It is also recommended to explicitly set `SameSite` to a value other than `None` on authentication cookies especially if the upgrade cannot be done in a timely manner.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: < 1.15.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T14:00:14.369Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-gv7g-x59x-wf8f",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-gv7g-x59x-wf8f"
              },
              {
                "name": "https://github.com/sveltejs/kit/commit/ba436c6685e751d968a960fbda65f24cf7a82e9f",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/sveltejs/kit/commit/ba436c6685e751d968a960fbda65f24cf7a82e9f"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-29008",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-10T16:26:20.753573Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-10T16:26:25.826Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.15.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods.\n\nSvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. The protection is implemented at `kit/src/runtime/server/respond.js`. While the implementation does a sufficient job of mitigating common CSRF attacks, the protection can be bypassed in versions prior to 1.15.2 by simply specifying an upper-cased `Content-Type` header value. The browser will not send uppercase characters, but this check does not block all expected CORS requests.\n\nIf abused, this issue will allow malicious requests to be submitted from third-party domains, which can allow execution of operations within the context of the victim\u0027s session, and in extreme scenarios can lead to unauthorized access to users\u2019 accounts. This may lead to all POST operations requiring authentication being allowed in the following cases: If the target site sets `SameSite=None` on its auth cookie and the user visits a malicious site in a Chromium-based browser; if the target site doesn\u0027t set the `SameSite` attribute explicitly and the user visits a malicious site with Firefox/Safari with tracking protections turned off; and/or if the user is visiting a malicious site with a very outdated browser.\n\nSvelteKit 1.15.2 contains a patch for this issue. It is also recommended to explicitly set `SameSite` to a value other than `None` on authentication cookies especially if the upgrade cannot be done in a timely manner."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-06T16:36:50.972Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-gv7g-x59x-wf8f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-gv7g-x59x-wf8f"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/ba436c6685e751d968a960fbda65f24cf7a82e9f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/ba436c6685e751d968a960fbda65f24cf7a82e9f"
            }
          ],
          "source": {
            "advisory": "GHSA-gv7g-x59x-wf8f",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit framework has Insufficient CSRF protection for CORS requests"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-29008",
        "datePublished": "2023-04-06T16:36:50.972Z",
        "dateReserved": "2023-03-29T17:39:16.143Z",
        "dateUpdated": "2025-02-10T16:26:25.826Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-29003 (GCVE-0-2023-29003)

    Vulnerability from nvd – Published: 2023-04-04 21:20 – Updated: 2025-02-10 21:29
    VLAI
    Title
    SvelteKit has Insufficient Cross-Site Request Forgery Protection
    Summary
    SvelteKit is a web development framework. The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. While the implementation does a sufficient job in mitigating common CSRF attacks, prior to version 1.15.1, the protection can be bypassed by simply specifying a different `Content-Type` header value. If abused, this issue will allow malicious requests to be submitted from third-party domains, which can allow execution of operations within the context of the victim's session, and in extreme scenarios can lead to unauthorized access to users’ accounts. SvelteKit 1.15.1 updates the `is_form_content_type` function call in the CSRF protection logic to include `text/plain`. As additional hardening of the CSRF protection mechanism against potential method overrides, SvelteKit 1.15.1 is now performing validation on `PUT`, `PATCH` and `DELETE` methods as well. This latter hardening is only needed to protect users who have put in some sort of `?_method= override` feature themselves in their `handle` hook, so that the request that resolve sees could be `PUT`/`PATCH`/`DELETE` when the browser issues a `POST` request.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    • CWE-184 - Incomplete List of Disallowed Inputs
    Assigner
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: < 1.15.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:51:38.989Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-5p75-vc5g-8rv2",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-5p75-vc5g-8rv2"
              },
              {
                "name": "https://github.com/sveltejs/kit/commit/bb2253d51d00aba2e4353952d4fb0dcde6c77123",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/sveltejs/kit/commit/bb2253d51d00aba2e4353952d4fb0dcde6c77123"
              },
              {
                "name": "https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%401.15.1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%401.15.1"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-29003",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-10T21:29:10.259849Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-10T21:29:13.609Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.15.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a web development framework. The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods.\n\nSvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. While the implementation does a sufficient job in mitigating common CSRF attacks, prior to version 1.15.1, the protection can be bypassed by simply specifying a different `Content-Type` header value.\n\nIf abused, this issue will allow malicious requests to be submitted from third-party domains, which can allow execution of operations within the context of the victim\u0027s session, and in extreme scenarios can lead to unauthorized access to users\u2019 accounts.\n\nSvelteKit 1.15.1 updates the `is_form_content_type` function call in the CSRF protection logic to include `text/plain`. As additional hardening of the CSRF protection mechanism against potential method overrides, SvelteKit 1.15.1 is now performing validation on `PUT`, `PATCH` and `DELETE` methods as well. This latter hardening is only needed to protect users who have put in some sort of `?_method= override` feature themselves in their `handle` hook, so that the request that resolve sees could be `PUT`/`PATCH`/`DELETE` when the browser issues a `POST` request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-184",
                  "description": "CWE-184: Incomplete List of Disallowed Inputs",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-04T21:20:43.983Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-5p75-vc5g-8rv2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-5p75-vc5g-8rv2"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/bb2253d51d00aba2e4353952d4fb0dcde6c77123",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/bb2253d51d00aba2e4353952d4fb0dcde6c77123"
            },
            {
              "name": "https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%401.15.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%401.15.1"
            }
          ],
          "source": {
            "advisory": "GHSA-5p75-vc5g-8rv2",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit has Insufficient Cross-Site Request Forgery Protection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-29003",
        "datePublished": "2023-04-04T21:20:43.983Z",
        "dateReserved": "2023-03-29T17:39:16.142Z",
        "dateUpdated": "2025-02-10T21:29:13.609Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-40074 (GCVE-0-2026-40074)

    Vulnerability from cvelistv5 – Published: 2026-04-10 16:26 – Updated: 2026-04-14 14:17
    VLAI
    Title
    SvelteKit's invalidated redirect in handle hook causes Denial-of-Service
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-755 - Improper Handling of Exceptional Conditions
    Assigner
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: < 2.57.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40074",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-14T14:17:18.734745Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-14T14:17:29.422Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.57.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-755",
                  "description": "CWE-755: Improper Handling of Exceptional Conditions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-10T16:26:07.068Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd"
            },
            {
              "name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1"
            }
          ],
          "source": {
            "advisory": "GHSA-3f6h-2hrp-w5wx",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit\u0027s invalidated redirect in handle hook causes Denial-of-Service"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40074",
        "datePublished": "2026-04-10T16:26:07.068Z",
        "dateReserved": "2026-04-09T00:39:12.205Z",
        "dateUpdated": "2026-04-14T14:17:29.422Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40073 (GCVE-0-2026-40073)

    Vulnerability from cvelistv5 – Published: 2026-04-10 16:24 – Updated: 2026-04-13 15:36
    VLAI
    Title
    SvelteKit has a BODY_SIZE_LIMIT bypass in @sveltejs/adapter-node
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: < 2.57.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40073",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-13T15:04:15.946303Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-13T15:36:57.412Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.57.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-10T16:24:39.987Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95"
            },
            {
              "name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1"
            }
          ],
          "source": {
            "advisory": "GHSA-2crg-3p73-43xp",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit has a BODY_SIZE_LIMIT bypass in @sveltejs/adapter-node"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40073",
        "datePublished": "2026-04-10T16:24:39.987Z",
        "dateReserved": "2026-04-09T00:39:12.204Z",
        "dateUpdated": "2026-04-13T15:36:57.412Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-27118 (GCVE-0-2026-27118)

    Vulnerability from cvelistv5 – Published: 2026-02-20 21:24 – Updated: 2026-02-24 18:42
    VLAI
    Title
    Cache poisoning in @sveltejs/adapter-vercel
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users. Successful exploitation requires a victim to visit an attacker-controlled link while authenticated. Existing deployments are protected by Vercel's WAF, but users should upgrade as soon as possible. This vulnerability is fixed in 6.3.2.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-346 - Origin Validation Error
    Assigner
    References
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: < 6.3.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-27118",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-24T18:41:44.555338Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-24T18:42:11.028Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 6.3.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users. Successful exploitation requires a victim to visit an attacker-controlled link while authenticated. Existing deployments are protected by Vercel\u0027s WAF, but users should upgrade as soon as possible. This vulnerability is fixed in 6.3.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-346",
                  "description": "CWE-346: Origin Validation Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-20T21:24:55.577Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-9pq4-5hcf-288c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-9pq4-5hcf-288c"
            }
          ],
          "source": {
            "advisory": "GHSA-9pq4-5hcf-288c",
            "discovery": "UNKNOWN"
          },
          "title": "Cache poisoning in @sveltejs/adapter-vercel"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-27118",
        "datePublished": "2026-02-20T21:24:55.577Z",
        "dateReserved": "2026-02-17T18:42:27.043Z",
        "dateUpdated": "2026-02-24T18:42:11.028Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22803 (GCVE-0-2026-22803)

    Vulnerability from cvelistv5 – Published: 2026-01-15 18:37 – Updated: 2026-01-15 19:06
    VLAI
    Title
    SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: >= 2.49.0, < 2.49.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22803",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-15T19:06:02.781041Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-15T19:06:13.528Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.49.0, \u003c 2.49.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-15T18:37:57.831Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5"
            },
            {
              "name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1"
            }
          ],
          "source": {
            "advisory": "GHSA-j2f3-wq62-6q46",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-22803",
        "datePublished": "2026-01-15T18:37:57.831Z",
        "dateReserved": "2026-01-09T22:50:10.287Z",
        "dateUpdated": "2026-01-15T19:06:13.528Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-67647 (GCVE-0-2025-67647)

    Vulnerability from cvelistv5 – Published: 2026-01-15 18:33 – Updated: 2026-01-15 18:58
    VLAI
    Title
    SvelteKit Denial of service and possible SSRF when using prerendering
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-248 - Uncaught Exception
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: >= 2.19.0, < 2.49.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-67647",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-15T18:57:32.614460Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-15T18:58:01.975Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.19.0, \u003c 2.49.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:H/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-248",
                  "description": "CWE-248: Uncaught Exception",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-15T18:33:25.295Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4x62-9r35",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4x62-9r35"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226"
            }
          ],
          "source": {
            "advisory": "GHSA-j62c-4x62-9r35",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit Denial of service and possible SSRF when using prerendering"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-67647",
        "datePublished": "2026-01-15T18:33:25.295Z",
        "dateReserved": "2025-12-09T18:36:41.331Z",
        "dateUpdated": "2026-01-15T18:58:01.975Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-32388 (GCVE-0-2025-32388)

    Vulnerability from cvelistv5 – Published: 2025-04-15 22:32 – Updated: 2025-04-16 13:33
    VLAI
    Title
    SvelteKit allows XSS via tracked search_params
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL. This vulnerability is fixed in 2.20.6.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: >= 2.0.0, < 2.20.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-32388",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T13:33:24.850741Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T13:33:47.383Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 2.20.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL. This vulnerability is fixed in 2.20.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-15T22:32:06.059Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-6q87-84jw-cjhp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-6q87-84jw-cjhp"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/d3300c6a67908590266c363dba7b0835d9a194cf",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/d3300c6a67908590266c363dba7b0835d9a194cf"
            },
            {
              "name": "https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.20.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.20.6"
            }
          ],
          "source": {
            "advisory": "GHSA-6q87-84jw-cjhp",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit allows XSS via tracked search_params"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-32388",
        "datePublished": "2025-04-15T22:32:06.059Z",
        "dateReserved": "2025-04-06T19:46:02.463Z",
        "dateUpdated": "2025-04-16T13:33:47.383Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-53261 (GCVE-0-2024-53261)

    Vulnerability from cvelistv5 – Published: 2024-11-25 19:15 – Updated: 2024-11-25 20:04
    VLAI
    Title
    Cross-Site Scripting attack (XSS) on dev mode 404 page in SvelteKit
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. "Unsanitized input from *the request URL* flows into `end`, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)." The files `packages/kit/src/exports/vite/dev/index.js` and `packages/kit/src/exports/vite/utils.js` both contain user controllable data which under specific conditions may flow to dev mode pages. There is little to no expected impact. The Vite development is not exposed to the network by default and even if someone were able to trick a developer into executing an XSS against themselves, a development database should not have any sensitive data. None the less this issue has been addressed in version 2.8.3 and all users are advised to upgrade.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: < 2.8.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-53261",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-25T20:01:35.408501Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-25T20:04:36.967Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.8.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. \"Unsanitized input from *the request URL* flows into `end`, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).\" The files `packages/kit/src/exports/vite/dev/index.js` and `packages/kit/src/exports/vite/utils.js` both contain user controllable data which under specific conditions may flow to dev mode pages. There is little to no expected impact. The Vite development is not exposed to the network by default and even if someone were able to trick a developer into executing an XSS against themselves, a development database should not have any sensitive data. None the less this issue has been addressed in version 2.8.3 and all users are advised to upgrade."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-25T19:15:28.233Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-rjjv-87mx-6x3h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-rjjv-87mx-6x3h"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/d338d4635a7fd947ba5112df6ee632c4a0979438",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/d338d4635a7fd947ba5112df6ee632c4a0979438"
            }
          ],
          "source": {
            "advisory": "GHSA-rjjv-87mx-6x3h",
            "discovery": "UNKNOWN"
          },
          "title": "Cross-Site Scripting attack (XSS) on dev mode 404 page in SvelteKit"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-53261",
        "datePublished": "2024-11-25T19:15:28.233Z",
        "dateReserved": "2024-11-19T20:08:14.480Z",
        "dateUpdated": "2024-11-25T20:04:36.967Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-53262 (GCVE-0-2024-53262)

    Vulnerability from cvelistv5 – Published: 2024-11-25 19:07 – Updated: 2024-11-25 20:24
    VLAI
    Title
    Unescaped error message included on error page in SvelteKit
    Summary
    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else fails. It can contain the following placeholders: %sveltekit.status% — the HTTP status, and %sveltekit.error.message% — the error message. This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content. Only applications where user provided input is used in the `Error` message will be vulnerable, so the vast majority of applications will not be vulnerable This issue has been addressed in version 2.8.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: < 2.8.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-53262",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-25T20:23:50.461446Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-25T20:24:05.750Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.8.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else fails. It can contain the following placeholders: %sveltekit.status% \u2014 the HTTP status, and %sveltekit.error.message% \u2014 the error message.  This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content. Only applications where user provided input is used in the `Error` message will be vulnerable, so the vast majority of applications will not be vulnerable This issue has been addressed in version 2.8.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-25T19:07:20.317Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-mh2x-fcqh-fmqv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-mh2x-fcqh-fmqv"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/134e36343ef57ed7e6e2b3bb9e7f05ad37865794",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/134e36343ef57ed7e6e2b3bb9e7f05ad37865794"
            },
            {
              "name": "https://kit.svelte.dev/docs/errors",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://kit.svelte.dev/docs/errors"
            }
          ],
          "source": {
            "advisory": "GHSA-mh2x-fcqh-fmqv",
            "discovery": "UNKNOWN"
          },
          "title": "Unescaped error message included on error page in SvelteKit"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-53262",
        "datePublished": "2024-11-25T19:07:20.317Z",
        "dateReserved": "2024-11-19T20:08:14.481Z",
        "dateUpdated": "2024-11-25T20:24:05.750Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-23641 (GCVE-0-2024-23641)

    Vulnerability from cvelistv5 – Published: 2024-01-24 16:56 – Updated: 2024-11-13 15:09
    VLAI
    Title
    Sending a GET or HEAD request with a body crashes SvelteKit
    Summary
    SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this happens, one must manually restart the app. `TRACE` requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. `@sveltejs/adapter-node` versions 2.1.2, 3.0.3, and 4.0.1 and `@sveltejs/kit` version 2.4.3 contain a patch for this issue.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: >= 2.0.0, < 2.4.3
    Affected: >= 2.0.0, < 2.1.2
    Affected: >= 3.0.0, < 3.0.3
    Affected: = 4.0.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:06:25.315Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49"
              },
              {
                "name": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23641",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-13T15:09:24.824860Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-13T15:09:39.781Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 2.4.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 2.1.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.0.3"
                },
                {
                  "status": "affected",
                  "version": "= 4.0.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this happens, one must manually restart the app. `TRACE` requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. `@sveltejs/adapter-node` versions 2.1.2, 3.0.3, and 4.0.1 and `@sveltejs/kit` version 2.4.3 contain a patch for this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-24T16:56:32.392Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9"
            }
          ],
          "source": {
            "advisory": "GHSA-g5m6-hxpp-fc49",
            "discovery": "UNKNOWN"
          },
          "title": "Sending a GET or HEAD request with a body crashes SvelteKit"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-23641",
        "datePublished": "2024-01-24T16:56:32.392Z",
        "dateReserved": "2024-01-19T00:18:53.233Z",
        "dateUpdated": "2024-11-13T15:09:39.781Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-29008 (GCVE-0-2023-29008)

    Vulnerability from cvelistv5 – Published: 2023-04-06 16:36 – Updated: 2025-02-10 16:26
    VLAI
    Title
    SvelteKit framework has Insufficient CSRF protection for CORS requests
    Summary
    The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. The protection is implemented at `kit/src/runtime/server/respond.js`. While the implementation does a sufficient job of mitigating common CSRF attacks, the protection can be bypassed in versions prior to 1.15.2 by simply specifying an upper-cased `Content-Type` header value. The browser will not send uppercase characters, but this check does not block all expected CORS requests. If abused, this issue will allow malicious requests to be submitted from third-party domains, which can allow execution of operations within the context of the victim's session, and in extreme scenarios can lead to unauthorized access to users’ accounts. This may lead to all POST operations requiring authentication being allowed in the following cases: If the target site sets `SameSite=None` on its auth cookie and the user visits a malicious site in a Chromium-based browser; if the target site doesn't set the `SameSite` attribute explicitly and the user visits a malicious site with Firefox/Safari with tracking protections turned off; and/or if the user is visiting a malicious site with a very outdated browser. SvelteKit 1.15.2 contains a patch for this issue. It is also recommended to explicitly set `SameSite` to a value other than `None` on authentication cookies especially if the upgrade cannot be done in a timely manner.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: < 1.15.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T14:00:14.369Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-gv7g-x59x-wf8f",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-gv7g-x59x-wf8f"
              },
              {
                "name": "https://github.com/sveltejs/kit/commit/ba436c6685e751d968a960fbda65f24cf7a82e9f",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/sveltejs/kit/commit/ba436c6685e751d968a960fbda65f24cf7a82e9f"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-29008",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-10T16:26:20.753573Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-10T16:26:25.826Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.15.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods.\n\nSvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. The protection is implemented at `kit/src/runtime/server/respond.js`. While the implementation does a sufficient job of mitigating common CSRF attacks, the protection can be bypassed in versions prior to 1.15.2 by simply specifying an upper-cased `Content-Type` header value. The browser will not send uppercase characters, but this check does not block all expected CORS requests.\n\nIf abused, this issue will allow malicious requests to be submitted from third-party domains, which can allow execution of operations within the context of the victim\u0027s session, and in extreme scenarios can lead to unauthorized access to users\u2019 accounts. This may lead to all POST operations requiring authentication being allowed in the following cases: If the target site sets `SameSite=None` on its auth cookie and the user visits a malicious site in a Chromium-based browser; if the target site doesn\u0027t set the `SameSite` attribute explicitly and the user visits a malicious site with Firefox/Safari with tracking protections turned off; and/or if the user is visiting a malicious site with a very outdated browser.\n\nSvelteKit 1.15.2 contains a patch for this issue. It is also recommended to explicitly set `SameSite` to a value other than `None` on authentication cookies especially if the upgrade cannot be done in a timely manner."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-06T16:36:50.972Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-gv7g-x59x-wf8f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-gv7g-x59x-wf8f"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/ba436c6685e751d968a960fbda65f24cf7a82e9f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/ba436c6685e751d968a960fbda65f24cf7a82e9f"
            }
          ],
          "source": {
            "advisory": "GHSA-gv7g-x59x-wf8f",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit framework has Insufficient CSRF protection for CORS requests"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-29008",
        "datePublished": "2023-04-06T16:36:50.972Z",
        "dateReserved": "2023-03-29T17:39:16.143Z",
        "dateUpdated": "2025-02-10T16:26:25.826Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-29003 (GCVE-0-2023-29003)

    Vulnerability from cvelistv5 – Published: 2023-04-04 21:20 – Updated: 2025-02-10 21:29
    VLAI
    Title
    SvelteKit has Insufficient Cross-Site Request Forgery Protection
    Summary
    SvelteKit is a web development framework. The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. While the implementation does a sufficient job in mitigating common CSRF attacks, prior to version 1.15.1, the protection can be bypassed by simply specifying a different `Content-Type` header value. If abused, this issue will allow malicious requests to be submitted from third-party domains, which can allow execution of operations within the context of the victim's session, and in extreme scenarios can lead to unauthorized access to users’ accounts. SvelteKit 1.15.1 updates the `is_form_content_type` function call in the CSRF protection logic to include `text/plain`. As additional hardening of the CSRF protection mechanism against potential method overrides, SvelteKit 1.15.1 is now performing validation on `PUT`, `PATCH` and `DELETE` methods as well. This latter hardening is only needed to protect users who have put in some sort of `?_method= override` feature themselves in their `handle` hook, so that the request that resolve sees could be `PUT`/`PATCH`/`DELETE` when the browser issues a `POST` request.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    • CWE-184 - Incomplete List of Disallowed Inputs
    Assigner
    Impacted products
    Vendor Product Version
    sveltejs kit Affected: < 1.15.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:51:38.989Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-5p75-vc5g-8rv2",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-5p75-vc5g-8rv2"
              },
              {
                "name": "https://github.com/sveltejs/kit/commit/bb2253d51d00aba2e4353952d4fb0dcde6c77123",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/sveltejs/kit/commit/bb2253d51d00aba2e4353952d4fb0dcde6c77123"
              },
              {
                "name": "https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%401.15.1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%401.15.1"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-29003",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-10T21:29:10.259849Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-10T21:29:13.609Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kit",
              "vendor": "sveltejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.15.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SvelteKit is a web development framework. The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods.\n\nSvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. While the implementation does a sufficient job in mitigating common CSRF attacks, prior to version 1.15.1, the protection can be bypassed by simply specifying a different `Content-Type` header value.\n\nIf abused, this issue will allow malicious requests to be submitted from third-party domains, which can allow execution of operations within the context of the victim\u0027s session, and in extreme scenarios can lead to unauthorized access to users\u2019 accounts.\n\nSvelteKit 1.15.1 updates the `is_form_content_type` function call in the CSRF protection logic to include `text/plain`. As additional hardening of the CSRF protection mechanism against potential method overrides, SvelteKit 1.15.1 is now performing validation on `PUT`, `PATCH` and `DELETE` methods as well. This latter hardening is only needed to protect users who have put in some sort of `?_method= override` feature themselves in their `handle` hook, so that the request that resolve sees could be `PUT`/`PATCH`/`DELETE` when the browser issues a `POST` request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-184",
                  "description": "CWE-184: Incomplete List of Disallowed Inputs",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-04T21:20:43.983Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-5p75-vc5g-8rv2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-5p75-vc5g-8rv2"
            },
            {
              "name": "https://github.com/sveltejs/kit/commit/bb2253d51d00aba2e4353952d4fb0dcde6c77123",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/commit/bb2253d51d00aba2e4353952d4fb0dcde6c77123"
            },
            {
              "name": "https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%401.15.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%401.15.1"
            }
          ],
          "source": {
            "advisory": "GHSA-5p75-vc5g-8rv2",
            "discovery": "UNKNOWN"
          },
          "title": "SvelteKit has Insufficient Cross-Site Request Forgery Protection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-29003",
        "datePublished": "2023-04-04T21:20:43.983Z",
        "dateReserved": "2023-03-29T17:39:16.142Z",
        "dateUpdated": "2025-02-10T21:29:13.609Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }