Description

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5.

Related CPE's

a

svelte

kit

*

*

*

*

*

node.js

Vulnerable

References

https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5

Patch

https://github.com/sveltejs/kit/releases/tag/@sveltejs%[email protected]

Release Notes

https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46

Vendor Advisory

Weaknesses

[email protected]

Primary
CWE-789

[email protected]

Primary
CWE-770

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 · High

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2026-01-15T19:16:06.120Z

1 month ago

Last modified

2026-01-21T20:34:46.277Z

1 month ago