@sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sve
- Severity:
- High
Description
The experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion.
Recommendation
Update the @sveltejs/kit package to the latest compatible version. Followings are version details:
- Affected version(s): >= 2.49.0, <= 2.49.4
- Patched version(s): 2.49.5
References
Related Issues
- SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimenta - Vulnerability
- Memory exhaustion in SvelteKit remote form deserialization (experimental only) - Vulnerability
- Astro has memory exhaustion DoS due to missing request body size limit in Server Actions - CVE-2026-27729
- Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS - CVE-2026-2581
- Tags:
- npm
- @sveltejs/kit
Anything's wrong? Let us know Last updated on January 15, 2026