SvelteKit framework has Insufficient CSRF protection for CORS requests
- Severity:
- High
Description
The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a +server.js file, containing endpoint handlers for different HTTP methods.
SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. The protection is implemented at kit/src/runtime/server/respond.js.
Recommendation
Update the @sveltejs/kit package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.15.2
- Patched version(s): 1.15.2
References
Related Issues
- Payload has a CSRF Protection Bypass in Authentication Flow - CVE-2026-34749
- SvelteKit vulnerable to Cross-Site Request Forgery - CVE-2023-29003
- Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints - CVE-2026-34750
- SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimenta - Vulnerability
You might also like:
- Tags:
- npm
- @sveltejs/kit
Anything's wrong? Let us know Last updated on April 14, 2023


