Fluid Attacks Database

Description

SvelteKit has deserialization expansion in unvalidated form remote function leading to Denial of Service (experimental only) Some relatively small inputs can cause very large files arrays in form handlers. If the SvelteKit application code doesn't check files.length or individual files' sizes and performs expensive processing with them, it can result in Denial of Service.

Only users with experimental.remoteFunctions: true who are using the form function and are processing the files array without validation are vulnerable.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	@sveltejs/kit	>=2.49.0 <2.53.3	2.53.3

Aliases

1. GHSA-fpg4-jhqr-589c2. GCVE-GHSA-fpg4-jhqr-589c

References

1. https://github.com/sveltejs/kit/security/advisories/GHSA-fpg4-jhqr-589c2. https://github.com/sveltejs/kit/commit/faba869db3644077169bf5d7c6e41fd5f3d6c65e3. https://github.com/sveltejs/kit/releases/tag/@sveltejs/[email protected]

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.