npm package
@sveltejs/kit
pkg:npm/%40sveltejs/kit
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-40074 | Hig | 7.5 | < 2.57.1 | 2.57.1 | Apr 10, 2026 | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled T | |
| CVE-2026-40073 | Hig | 7.5 | < 2.57.1 | 2.57.1 | Apr 10, 2026 | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size lim | |
| CVE-2026-22803 | — | >= 2.49.0, < 2.49.5 | 2.49.5 | Jan 15, 2026 | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the s | ||
| CVE-2025-67647 | — | >= 2.19.0, < 2.49.5 | 2.49.5 | Jan 15, 2026 | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability r | ||
| CVE-2025-32388 | Med | 5.4 | >= 2.0.0, < 2.20.6 | 2.20.6 | Apr 15, 2025 | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. At | |
| CVE-2024-53261 | — | < 2.8.3 | 2.8.3 | Nov 25, 2024 | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. "Unsanitized input from *the request URL* flows into `end`, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)." The | ||
| CVE-2024-53262 | — | < 2.8.3 | 2.8.3 | Nov 25, 2024 | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else fai | ||
| CVE-2024-23641 | — | >= 2.0.0, < 2.4.3 | 2.4.3 | Jan 24, 2024 | SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this happens, one must manually restart the a | ||
| CVE-2023-29008 | — | < 1.15.2 | 1.15.2 | Apr 6, 2023 | The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. The | ||
| CVE-2023-29003 | — | < 1.15.1 | 1.15.1 | Apr 4, 2023 | SvelteKit is a web development framework. The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request f |
- affected < 2.57.1fixed 2.57.1
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled T
- affected < 2.57.1fixed 2.57.1
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size lim
- CVE-2026-22803Jan 15, 2026affected >= 2.49.0, < 2.49.5fixed 2.49.5
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the s
- CVE-2025-67647Jan 15, 2026affected >= 2.19.0, < 2.49.5fixed 2.49.5
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability r
- affected >= 2.0.0, < 2.20.6fixed 2.20.6
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. At
- CVE-2024-53261Nov 25, 2024affected < 2.8.3fixed 2.8.3
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. "Unsanitized input from *the request URL* flows into `end`, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)." The
- CVE-2024-53262Nov 25, 2024affected < 2.8.3fixed 2.8.3
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else fai
- CVE-2024-23641Jan 24, 2024affected >= 2.0.0, < 2.4.3fixed 2.4.3
SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this happens, one must manually restart the a
- CVE-2023-29008Apr 6, 2023affected < 1.15.2fixed 1.15.2
The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. The
- CVE-2023-29003Apr 4, 2023affected < 1.15.1fixed 1.15.1
SvelteKit is a web development framework. The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request f