Memory exhaustion in SvelteKit remote form deserialization (experimental only)
- Severity:
- Medium
Description
Versions of @sveltejs/kit prior to 2.52.2 with remote functions enabled can be vulnerable to memory exhaustion. Malformed form data can cause the server process to crash due to excessive memory allocation, resulting in denial of service.
Only applications using both experimental.remoteFunctions and form are vulnerable.
Recommendation
Update the @sveltejs/kit package to the latest compatible version. Followings are version details:
- Affected version(s): >= 2.49.0, <= 2.52.1
- Patched version(s): 2.52.2
References
Related Issues
- CPU exhaustion in SvelteKit remote form deserialization (experimental only) - Vulnerability
- SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimenta - Vulnerability
- @sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sve - CVE-2026-22803
- A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA - CVE-2023-33831
- Tags:
- npm
- @sveltejs/kit
Anything's wrong? Let us know Last updated on February 19, 2026