SvelteKit framework has Insufficient CSRF protection for CORS requests

Severity:: High

Description

The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a +server.js file, containing endpoint handlers for different HTTP methods.

SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. The protection is implemented at kit/src/runtime/server/respond.js.

Recommendation

Update the @sveltejs/kit package to the latest compatible version. Followings are version details:

Affected version(s): < 1.15.2
Patched version(s): 1.15.2

References

GHSA-gv7g-x59x-wf8f
CVE-2023-29008
CWE-352
CWE-918
CAPEC-310
OWASP 2021-A1
OWASP 2021-A10
OWASP 2021-A6

Related Issues

SvelteKit vulnerable to Cross-Site Request Forgery - CVE-2023-29003
Payload has a CSRF Protection Bypass in Authentication Flow - CVE-2026-34749
@yoda.digital/gitlab-mcp-server's SSE transport has no authentication and wildcard CORS, exposing all 86 GitLab tools - CVE-2026-44895
tiny-csrf has openly visible CSRF tokens - CVE-2022-39287

CSRF, XXE, and 12 Other Security Acronyms Explained

How to Secure your NodeJs Express Javascript Application - part 1

Update Cheat Sheet for Developers

Tags:: npm; @sveltejs/kit

Anything's wrong? Let us know Last updated on April 14, 2023