VYPR
High severityNVD Advisory· Published Jan 24, 2024· Updated Nov 13, 2024

Sending a GET or HEAD request with a body crashes SvelteKit

CVE-2024-23641

Description

SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg {} to a built and previewed/hosted sveltekit app throws Request with GET/HEAD method cannot have body. and crashes the preview/hosting. After this happens, one must manually restart the app. TRACE requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. @sveltejs/adapter-node versions 2.1.2, 3.0.3, and 4.0.1 and @sveltejs/kit version 2.4.3 contain a patch for this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@sveltejs/kitnpm
>= 2.0.0, < 2.4.32.4.3
@sveltejs/adapter-nodenpm
>= 2.0.0, < 2.1.22.1.2
@sveltejs/adapter-nodenpm
>= 3.0.0, < 3.0.33.0.3
@sveltejs/adapter-nodenpm
>= 4.0.0, < 4.0.14.0.1

Affected products

3

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.