CPU exhaustion in SvelteKit remote form deserialization (experimental only)
- Severity:
- Medium
Description
Versions of @sveltejs/kit prior to 2.52.2 with remote functions enabled are vulnerable to CPU exhaustion. Malformed form data can cause the server to become unresponsive while processing a request, resulting in denial of service.
Only applications using both experimental.remoteFunctions and form are vulnerable.
Recommendation
Update the @sveltejs/kit package to the latest compatible version. Followings are version details:
- Affected version(s): >= 2.49.0, <= 2.52.1
- Patched version(s): 2.52.2
References
Related Issues
- Memory exhaustion in SvelteKit remote form deserialization (experimental only) - Vulnerability
- SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimenta - Vulnerability
- @sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sve - CVE-2026-22803
- @saltcorn/server Remote Code Execution (RCE) / SQL injection via prototype pollution by manipulating `lang` and `defst - Vulnerability
- Tags:
- npm
- @sveltejs/kit
Anything's wrong? Let us know Last updated on February 19, 2026