GHSA-FPG4-JHQR-589C

Vulnerability from github – Published: 2026-02-28 02:04 – Updated: 2026-02-28 02:04
VLAI?
Summary
SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only)
Details

Some relatively small inputs can cause very large files arrays in form handlers. If the SvelteKit application code doesn't check files.length or individual files' sizes and performs expensive processing with them, it can result in Denial of Service.

Only users with experimental.remoteFunctions: true who are using the form function and are processing the files array without validation are vulnerable.

Severity ?
1.7 (Low)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.53.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@sveltejs/kit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.49.0"
            },
            {
              "fixed": "2.53.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-28T02:04:39Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "Some relatively small inputs can cause very large files arrays in `form` handlers. If the SvelteKit application code doesn\u0027t check `files.length` or individual files\u0027 sizes and performs expensive processing with them, it can result in Denial of Service.\n\nOnly users with `experimental.remoteFunctions: true` who are using the `form` function and are processing the `files` array without validation are vulnerable.",
  "id": "GHSA-fpg4-jhqr-589c",
  "modified": "2026-02-28T02:04:39Z",
  "published": "2026-02-28T02:04:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-fpg4-jhqr-589c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/kit/commit/faba869db3644077169bf5d7c6e41fd5f3d6c65e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sveltejs/kit"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.53.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SvelteKit  has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.