logo

Database

Lack of data validation In @sveltejs/kit

Description

Sending a GET or HEAD request with a body crashes SvelteKit

Summary

In SvelteKit 2 sending a GET request with a body eg {} to a SvelteKit app in preview or with adapter-node throws Request with GET/HEAD method cannot have body. and crashes the app.

node:internal/deps/undici/undici:6066
          throw new TypeError("Request with GET/HEAD method cannot have body.");
                ^

TypeError: Request with GET/HEAD method cannot have body.
    at new Request (node:internal/deps/undici/undici:6066:17)
    at getRequest (file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/node/index.js:107:9)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:181:26...

TRACE requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected.

PoC

First do a fresh install of SvelteKit 2 with the example app. Typescript.

    npm run build

    npm run preview

    Go to http://localhost:4173 (works)

    curl -X GET -d "{}" http://localhost:4173/bye

    Application crashes and http://localhost:4173 is down

Impact

Denial of Service for apps using adapter-node

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-236412. NVD-2024-236413. OSV-2024-236414. GHSA-g5m6-hxpp-fc495. GCVE-2024-23641

References

1. https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc492. https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.