@sveltejs/kit: `query.batch` cross-talk

Description

query.batch() could, under very rare and specific timings, cause concurrent requests from different users to merge and resolve under single request context, enabling cross-user data disclosure.

Recommendation

Update the @sveltejs/kit package to the latest compatible version. Followings are version details:

• Affected version(s): >= 2.38.0, <= 2.60.0
• Patched version(s): 2.60.1

References

• GHSA-hgv7-v322-mmgr
• CWE-200
• OWASP 2021-A1

Related Issues

• @sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params - CVE-2025-32388
• @sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sve - CVE-2026-22803
• @sveltejs/kit vulnerable to XSS on dev mode 404 page - CVE-2024-53261
• @sveltejs/kit has unescaped error message included on error page - CVE-2024-53262

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

@sveltejs/kit