SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimenta
- Severity:
- Low
Description
Some relatively small inputs can cause very large files arrays in form handlers. If the SvelteKit application code doesn’t check files.length or individual files’ sizes and performs expensive processing with them, it can result in Denial of Service.
Only users with experimental.remoteFunctions: true who are using the form function and are processing the files array without validation are vulnerable.
Recommendation
Update the @sveltejs/kit package to the latest compatible version. Followings are version details:
- Affected version(s): >= 2.49.0, <= 2.53.2
- Patched version(s): 2.53.3
References
Related Issues
- CPU exhaustion in SvelteKit remote form deserialization (experimental only) - Vulnerability
- Memory exhaustion in SvelteKit remote form deserialization (experimental only) - Vulnerability
- @sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sve - CVE-2026-22803
- Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
- Tags:
- npm
- @sveltejs/kit
Anything's wrong? Let us know Last updated on February 28, 2026