@sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sve
- Severity:
- High
Description
The experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion.
Recommendation
Update the @sveltejs/kit package to the latest compatible version. Followings are version details:
- Affected version(s): >= 2.49.0, <= 2.49.4
- Patched version(s): 2.49.5
References
Related Issues
- Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resourc - CVE-2026-22036
- SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering - CVE-2025-67647
- Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function ga - CVE-2025-65110
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - CVE-2025-59840
- Tags:
- npm
- @sveltejs/kit
Anything's wrong? Let us know Last updated on January 15, 2026