SvelteKit Support & Health

GHSA-2crg-3p73-43xp CVSS_V4

@sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass

Published: 2026-04-10 Fixed in: 2.57.1

GHSA-3f6h-2hrp-w5wx CVSS_V4

@sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service

Published: 2026-04-10 Fixed in: 2.57.1

GHSA-5p75-vc5g-8rv2 CVSS_V3

SvelteKit vulnerable to Cross-Site Request Forgery

Published: 2023-04-04 Fixed in: 1.15.1

GHSA-6q87-84jw-cjhp CVSS_V3

@sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params

Published: 2025-04-14 Fixed in: 2.20.6

GHSA-88qp-p4qg-rqm6 CVSS_V4

CPU exhaustion in SvelteKit remote form deserialization (experimental only)

Published: 2026-02-19 Fixed in: 2.52.2

GHSA-fpg4-jhqr-589c CVSS_V4

SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only)

Published: 2026-02-28 Fixed in: 2.53.3

GHSA-g5m6-hxpp-fc49 CVSS_V3

Sending a GET or HEAD request with a body crashes SvelteKit

Published: 2024-01-24 Fixed in: 2.4.3

GHSA-gv7g-x59x-wf8f CVSS_V3

SvelteKit framework has Insufficient CSRF protection for CORS requests

Published: 2023-04-07 Fixed in: 1.15.2

GHSA-j2f3-wq62-6q46 CVSS_V4

@sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sveltekit-formdata)

Published: 2026-01-15 Fixed in: 2.49.5

GHSA-j62c-4x62-9r35 CVSS_V4

SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering

Published: 2026-01-15 Fixed in: 2.49.5

SvelteKit