SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering

Description

Versions of SvelteKit are vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions.

Recommendation

Update the @sveltejs/kit package to the latest compatible version. Followings are version details:

• Affected version(s): >= 2.19.0, <= 2.49.4
• Patched version(s): 2.49.5

References

• GHSA-j62c-4x62-9r35
• CVE-2025-67647
• CWE-248
• CWE-400
• CWE-918
• CAPEC-310
• OWASP 2021-A10
• OWASP 2021-A6

Related Issues

• Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion - CVE-2026-23522
• MJML allows mj-include directory traversal due to an incomplete fix for CVE-2020-12827 - CVE-2025-67898
• @sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params - CVE-2025-32388
• @sveltejs/kit vulnerable to XSS on dev mode 404 page - CVE-2024-53261

Tags:

npm

@sveltejs/kit