High severityNVD Advisory· Published Jan 24, 2024· Updated Nov 13, 2024

Sending a GET or HEAD request with a body crashes SvelteKit

CVE-2024-23641

Description

SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg {} to a built and previewed/hosted sveltekit app throws Request with GET/HEAD method cannot have body. and crashes the preview/hosting. After this happens, one must manually restart the app. TRACE requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. @sveltejs/adapter-node versions 2.1.2, 3.0.3, and 4.0.1 and @sveltejs/kit version 2.4.3 contain a patch for this issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@sveltejs/kitnpm	>= 2.0.0, < 2.4.3	2.4.3
@sveltejs/adapter-nodenpm	>= 2.0.0, < 2.1.2	2.1.2
@sveltejs/adapter-nodenpm	>= 3.0.0, < 3.0.3	3.0.3
@sveltejs/adapter-nodenpm	>= 4.0.0, < 4.0.1	4.0.1

Affected products

Sveltejs/Kitv5
Range: >= 2.0.0, < 2.4.3

Patches

af34142631c8

fix: ignore bodies sent with non-PUT/PATCH/POST requests (#11708)

https://github.com/sveltejs/kitRich HarrisJan 22, 2024via ghsa

commit

2 files changed · +9 −1

.changeset/smooth-kids-cover.md+5 −0 added

@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+fix: ignore bodies sent with non-PUT/PATCH/POST requests

packages/kit/src/exports/node/index.js+4 −1 modified

@@ -109,7 +109,10 @@ export async function getRequest({ request, base, bodySizeLimit }) {
 		duplex: 'half',
 		method: request.method,
 		headers: /** @type {Record<string, string>} */ (request.headers),
-		body: get_raw_body(request, bodySizeLimit)
+		body:
+			request.method === 'POST' || request.method === 'PUT' || request.method === 'PATCH'
+				? get_raw_body(request, bodySizeLimit)
+				: undefined
 	});
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-g5m6-hxpp-fc49ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-23641ghsaADVISORY
github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9ghsax_refsource_MISCWEB
github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000