@sveltejs/kit 2.20.1

Direct Vulnerabilities

Known vulnerabilities in the @sveltejs/kit package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Allocation of Resources Without Limits or Throttling @sveltejs/kit is a SvelteKit framework and CLI Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the request processing. An attacker can send requests that exceed `BODY_SIZE_LIMIT` restriction to applications running with `adapter-node` and cause an application to crash. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `@sveltejs/kit` to version 2.57.1 or higher.	<2.57.1
M Improper Handling of Exceptional Conditions @sveltejs/kit is a SvelteKit framework and CLI Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions in the `redirect()` function in the `handle` server hook when the location parameter contains characters invalid in an HTTP header. An attacker can cause an unhandled `TypeError` and disrupt service availability by supplying unsanitized user input to the location parameter. How to fix Improper Handling of Exceptional Conditions? Upgrade `@sveltejs/kit` to version 2.57.1 or higher.	<2.57.1
H Server-side Request Forgery (SSRF) @sveltejs/kit is a SvelteKit framework and CLI Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the improper decoding of protocol headers in resolved path. An attacker can cause the server process to terminate or access internal services by sending crafted requests, potentially leading to unauthorized access to internal resources or cache poisoning attacks. Note: This is only exploitable if at least one prerendered route is present, and for accessing internal services, the application must use the node adapter without a configured `ORIGIN` environment variable and lack a reverse proxy with Host header validation. How to fix Server-side Request Forgery (SSRF)? Upgrade `@sveltejs/kit` to version 2.49.5 or higher.	>=2.19.0 <2.49.5
M Cross-site Scripting (XSS) @sveltejs/kit is a SvelteKit framework and CLI Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when processing a `load()` function call. An attacker can execute scripts in the context of the user's browser session by convincing a user to follow a malicious link via URL that contains a script. If an application's invocation of `load()` iterates over the tracked search params in `event.url.searchParams` it will retrieve and render the contents of each one, including the malicious URL. How to fix Cross-site Scripting (XSS)? Upgrade `@sveltejs/kit` to version 2.20.6 or higher.	>=2.0.0 <2.20.6

Vulnerability

Vulnerable Version

Allocation of Resources Without Limits or Throttling

@sveltejs/kit is a SvelteKit framework and CLI

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the request processing. An attacker can send requests that exceed BODY_SIZE_LIMIT restriction to applications running with adapter-node and cause an application to crash.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade @sveltejs/kit to version 2.57.1 or higher.

<2.57.1

Improper Handling of Exceptional Conditions

@sveltejs/kit is a SvelteKit framework and CLI

Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions in the redirect() function in the handle server hook when the location parameter contains characters invalid in an HTTP header. An attacker can cause an unhandled TypeError and disrupt service availability by supplying unsanitized user input to the location parameter.

How to fix Improper Handling of Exceptional Conditions?

Upgrade @sveltejs/kit to version 2.57.1 or higher.

<2.57.1

Server-side Request Forgery (SSRF)

@sveltejs/kit is a SvelteKit framework and CLI

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the improper decoding of protocol headers in resolved path. An attacker can cause the server process to terminate or access internal services by sending crafted requests, potentially leading to unauthorized access to internal resources or cache poisoning attacks.

Note:

This is only exploitable if at least one prerendered route is present, and for accessing internal services, the application must use the node adapter without a configured ORIGIN environment variable and lack a reverse proxy with Host header validation.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @sveltejs/kit to version 2.49.5 or higher.

>=2.19.0 <2.49.5

Cross-site Scripting (XSS)

@sveltejs/kit is a SvelteKit framework and CLI

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when processing a load() function call. An attacker can execute scripts in the context of the user's browser session by convincing a user to follow a malicious link via URL that contains a script. If an application's invocation of load() iterates over the tracked search params in event.url.searchParams it will retrieve and render the contents of each one, including the malicious URL.

How to fix Cross-site Scripting (XSS)?

Upgrade @sveltejs/kit to version 2.20.6 or higher.

>=2.0.0 <2.20.6

@sveltejs/kit@2.20.1

SvelteKit is the fastest way to build Svelte apps

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically