SvelteKit framework has Insufficient CSRF protection for CORS requests

Severity:: High

Description

The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a +server.js file, containing endpoint handlers for different HTTP methods.

SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. The protection is implemented at kit/src/runtime/server/respond.js.

Recommendation

Update the @sveltejs/kit package to the latest compatible version. Followings are version details:

Affected version(s): < 1.15.2
Patched version(s): 1.15.2

References

GHSA-gv7g-x59x-wf8f
CVE-2023-29008
CWE-352
CWE-918
CAPEC-310
OWASP 2021-A1
OWASP 2021-A10
OWASP 2021-A6

Related Issues

SvelteKit vulnerable to Cross-Site Request Forgery - CVE-2023-29003
Vega has Cross-site Scripting vulnerability in `lassoAppend` function - CVE-2023-26487
tiny-csrf has openly visible CSRF tokens - CVE-2022-39287
gatsby-transformer-remark has possible unsanitized JavaScript code injection - CVE-2023-22491

Tags:: npm; @sveltejs/kit

Anything's wrong? Let us know Last updated on April 14, 2023