SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering

Description

Versions of SvelteKit are vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions.

Recommendation

Update the @sveltejs/kit package to the latest compatible version. Followings are version details:

• Affected version(s): >= 2.19.0, <= 2.49.4
• Patched version(s): 2.49.5

References

• GHSA-j62c-4x62-9r35
• CVE-2025-67647
• CWE-248
• CWE-400
• CWE-918
• CAPEC-310
• OWASP 2021-A10
• OWASP 2021-A6

Related Issues

• SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering (GHSA-j62c-4x62-9r35) - CVE-2025-67647
• axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - CVE-2025-27152
• Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding - CVE-2025-68272
• angular vulnerable to regular expression denial of service via the <input type="url"> element - CVE-2023-26118

Tags:

npm

@sveltejs/kit