Fluid Attacks Database

Description

Memory exhaustion in SvelteKit remote form deserialization (experimental only) Versions of @sveltejs/kit prior to 2.52.2 with remote functions enabled can be vulnerable to memory exhaustion. Malformed form data can cause the server process to crash due to excessive memory allocation, resulting in denial of service.

Only applications using both experimental.remoteFunctions and form are vulnerable.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	@sveltejs/kit	>=2.49.0 <2.52.2	2.52.2

Aliases

1. GHSA-vrhm-gvg7-fpcf2. GCVE-GHSA-vrhm-gvg7-fpcf

References

1. https://github.com/sveltejs/kit/security/advisories/GHSA-vrhm-gvg7-fpcf2. https://github.com/sveltejs/kit/commit/f47c01bd8100328c24fdb8522fe35913b0735f353. https://github.com/sveltejs/kit/releases/tag/@sveltejs/[email protected]

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.