Allocation of Resources Without Limits or Throttling Affecting @sveltejs/kit package, versions >=2.49.0 <2.53.3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-SVELTEJSKIT-15366380
- published1 Mar 2026
- disclosed28 Feb 2026
- creditJoachim Viide
Introduced: 28 Feb 2026
CVE NOT AVAILABLE CWE-770 (opens in a new tab)How to fix?
Upgrade @sveltejs/kit to version 2.53.3 or higher.
Overview
@sveltejs/kit is a SvelteKit framework and CLI
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the deserialize_binary_form function in the remote form handler. An attacker can exhaust application resources by sending crafted binary form payloads with file entries that reuse or overlap the same offsets, causing the handler to inflate the files array and perform costly processing.
Notes: Only users with experimental.remoteFunctions: true who are using the form function and are processing the files array without validation are vulnerable.