@sveltejs/kit 2.49.4 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the @sveltejs/kit package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Memory Allocation with Excessive Size Value @sveltejs/kit is a SvelteKit framework and CLI Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the `deserialize_binary_form()` function via Remote Form endpoint. An attacker can cause excessive memory allocation by sending a specially crafted payload with a small header indicating a large data length and then stalling the connection, leading the server to allocate large buffers and potentially exhaust memory resources. How to fix Memory Allocation with Excessive Size Value? Upgrade `@sveltejs/kit` to version 2.49.5 or higher.	>=2.49.0 <2.49.5
H Server-side Request Forgery (SSRF) @sveltejs/kit is a SvelteKit framework and CLI Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the improper decoding of protocol headers in resolved path. An attacker can cause the server process to terminate or access internal services by sending crafted requests, potentially leading to unauthorized access to internal resources or cache poisoning attacks. Note: This is only exploitable if at least one prerendered route is present, and for accessing internal services, the application must use the node adapter without a configured `ORIGIN` environment variable and lack a reverse proxy with Host header validation. How to fix Server-side Request Forgery (SSRF)? Upgrade `@sveltejs/kit` to version 2.49.5 or higher.	>=2.19.0 <2.49.5

Vulnerability

Vulnerable Version

Memory Allocation with Excessive Size Value

@sveltejs/kit is a SvelteKit framework and CLI

Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the deserialize_binary_form() function via Remote Form endpoint. An attacker can cause excessive memory allocation by sending a specially crafted payload with a small header indicating a large data length and then stalling the connection, leading the server to allocate large buffers and potentially exhaust memory resources.

How to fix Memory Allocation with Excessive Size Value?

Upgrade @sveltejs/kit to version 2.49.5 or higher.

>=2.49.0 <2.49.5

Server-side Request Forgery (SSRF)

@sveltejs/kit is a SvelteKit framework and CLI

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the improper decoding of protocol headers in resolved path. An attacker can cause the server process to terminate or access internal services by sending crafted requests, potentially leading to unauthorized access to internal resources or cache poisoning attacks.

Note:

This is only exploitable if at least one prerendered route is present, and for accessing internal services, the application must use the node adapter without a configured ORIGIN environment variable and lack a reverse proxy with Host header validation.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @sveltejs/kit to version 2.49.5 or higher.

>=2.19.0 <2.49.5

@sveltejs/kit@2.49.4 vulnerabilities

SvelteKit is the fastest way to build Svelte apps

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically