SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering - @sveltejs/adapter-node

Description

Versions of SvelteKit are vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions.

Recommendation

Update the @sveltejs/adapter-node package to the latest compatible version. Followings are version details:

• Affected version(s): >= 5.4.1, <= 5.5.0
• Patched version(s): 5.5.1

References

• GHSA-j62c-4x62-9r35
• CVE-2025-67647
• CWE-248
• CWE-400
• CWE-918
• CAPEC-310
• OWASP 2021-A10
• OWASP 2021-A6

Related Issues

• SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering - CVE-2025-67647
• Sending a GET or HEAD request with a body crashes SvelteKit - @sveltejs/adapter-node - CVE-2024-23641
• Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter - CVE-2025-68150
• @hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed - CVE-2024-32652

You might also like:

CSRF, XXE, and 12 Other Security Acronyms Explained

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

@sveltejs/adapter-node