SvelteKit framework has Insufficient CSRF protection for CORS requests
- Severity:
- High
Description
The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a +server.js file, containing endpoint handlers for different HTTP methods.
SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. The protection is implemented at kit/src/runtime/server/respond.js.
Recommendation
Update the @sveltejs/kit package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.15.2
- Patched version(s): 1.15.2
References
Related Issues
- HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-59155
- @sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params - CVE-2025-32388
- tarteaucitron.js allows UI manipulation via unrestricted CSS injection - CVE-2025-31138
- Potential DoS when using ContextLines integration (GHSA-r5w7-f542-q2j4) - Vulnerability
- Tags:
- npm
- @sveltejs/kit
Anything's wrong? Let us know Last updated on April 14, 2023