SvelteKit vulnerable to Cross-Site Request Forgery

Severity:: High

Description

The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a +server.js file, containing endpoint handlers for different HTTP methods.

SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to it’s users. The protection is implemented at kit/src/runtime/server/respond.js#L52.

Recommendation

Update the @sveltejs/kit package to the latest compatible version. Followings are version details:

Affected version(s): < 1.15.1
Patched version(s): 1.15.1

References

GHSA-5p75-vc5g-8rv2
CVE-2023-29003
CWE-184
CWE-352
CAPEC-310
OWASP 2021-A1
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) - CVE-2020-8203
Cross-site Scripting (XSS) in serialize-javascript - CVE-2024-11831
QMarkdown Cross-Site Scripting (XSS) vulnerability - CVE-2025-43954
@sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params - CVE-2025-32388

Tags:: npm; @sveltejs/kit

Anything's wrong? Let us know Last updated on April 06, 2023