@sveltejs/kit 2.20.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the @sveltejs/kit package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Server-side Request Forgery (SSRF) @sveltejs/kit is a SvelteKit framework and CLI Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the improper decoding of protocol headers in resolved path. An attacker can cause the server process to terminate or access internal services by sending crafted requests, potentially leading to unauthorized access to internal resources or cache poisoning attacks. Note: This is only exploitable if at least one prerendered route is present, and for accessing internal services, the application must use the node adapter without a configured `ORIGIN` environment variable and lack a reverse proxy with Host header validation. How to fix Server-side Request Forgery (SSRF)? Upgrade `@sveltejs/kit` to version 2.49.5 or higher.	>=2.19.0 <2.49.5
M Cross-site Scripting (XSS) @sveltejs/kit is a SvelteKit framework and CLI Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when processing a `load()` function call. An attacker can execute scripts in the context of the user's browser session by convincing a user to follow a malicious link via URL that contains a script. If an application's invocation of `load()` iterates over the tracked search params in `event.url.searchParams` it will retrieve and render the contents of each one, including the malicious URL. How to fix Cross-site Scripting (XSS)? Upgrade `@sveltejs/kit` to version 2.20.6 or higher.	>=2.0.0 <2.20.6

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

@sveltejs/kit is a SvelteKit framework and CLI

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the improper decoding of protocol headers in resolved path. An attacker can cause the server process to terminate or access internal services by sending crafted requests, potentially leading to unauthorized access to internal resources or cache poisoning attacks.

Note:

This is only exploitable if at least one prerendered route is present, and for accessing internal services, the application must use the node adapter without a configured ORIGIN environment variable and lack a reverse proxy with Host header validation.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @sveltejs/kit to version 2.49.5 or higher.

>=2.19.0 <2.49.5

Cross-site Scripting (XSS)

@sveltejs/kit is a SvelteKit framework and CLI

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when processing a load() function call. An attacker can execute scripts in the context of the user's browser session by convincing a user to follow a malicious link via URL that contains a script. If an application's invocation of load() iterates over the tracked search params in event.url.searchParams it will retrieve and render the contents of each one, including the malicious URL.

How to fix Cross-site Scripting (XSS)?

Upgrade @sveltejs/kit to version 2.20.6 or higher.

>=2.0.0 <2.20.6

@sveltejs/kit@2.20.1 vulnerabilities

SvelteKit is the fastest way to build Svelte apps

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically