logo

Database

Lack of data validation - Type confusion In @sveltejs/kit

Description

CPU exhaustion in SvelteKit remote form deserialization (experimental only) Versions of @sveltejs/kit prior to 2.52.2 with remote functions enabled are vulnerable to CPU exhaustion. Malformed form data can cause the server to become unresponsive while processing a request, resulting in denial of service.

Only applications using both experimental.remoteFunctions and form are vulnerable.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-88qp-p4qg-rqm62. GCVE-GHSA-88qp-p4qg-rqm6

References

1. https://github.com/sveltejs/kit/security/advisories/GHSA-88qp-p4qg-rqm62. https://github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb83. https://github.com/sveltejs/kit/releases/tag/@sveltejs/[email protected]

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.