High severityNVD Advisory· Published Jan 24, 2024· Updated Nov 13, 2024
Sending a GET or HEAD request with a body crashes SvelteKit
CVE-2024-23641
Description
SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg {} to a built and previewed/hosted sveltekit app throws Request with GET/HEAD method cannot have body. and crashes the preview/hosting. After this happens, one must manually restart the app. TRACE requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. @sveltejs/adapter-node versions 2.1.2, 3.0.3, and 4.0.1 and @sveltejs/kit version 2.4.3 contain a patch for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@sveltejs/kitnpm | >= 2.0.0, < 2.4.3 | 2.4.3 |
@sveltejs/adapter-nodenpm | >= 2.0.0, < 2.1.2 | 2.1.2 |
@sveltejs/adapter-nodenpm | >= 3.0.0, < 3.0.3 | 3.0.3 |
@sveltejs/adapter-nodenpm | >= 4.0.0, < 4.0.1 | 4.0.1 |
Affected products
3- ghsa-coords2 versions
>= 2.0.0, < 2.1.2+ 1 more
- (no CPE)range: >= 2.0.0, < 2.1.2
- (no CPE)range: >= 2.0.0, < 2.4.3
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-g5m6-hxpp-fc49ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-23641ghsaADVISORY
- github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9ghsax_refsource_MISCWEB
- github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.