@sveltejs/kit
npm10 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting @sveltejs/kitpage 1 of 1
- CVE-2023-29003HIGHCVSS 8.8EG 8.8✓ Fixed in 1.15.12023-04-04
SvelteKit is a web development framework. The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit pro…
- CVE-2023-29008HIGHCVSS 8.8EG 8.8✓ Fixed in 1.15.22023-04-06
The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request fo…
- CVE-2024-23641HIGHCVSS 7.5EG 7.5✓ Fixed in 2.4.32024-01-24
SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this…
- CVE-2024-53261MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.8.32024-11-25
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. "Unsanitized input from *the request URL* flows into `end`, where it is used to render an HTML page returned to the user. This may result in …
- CVE-2024-53262MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.8.32024-11-25
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page …
- CVE-2025-32388MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.20.62025-04-15
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searc…
- CVE-2025-67647CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.49.52026-01-15
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2…
- CVE-2026-22803HIGHCVSS 7.5EG 7.5✓ Fixed in 2.49.52026-01-15
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A …
- CVE-2026-40073HIGHCVSS 7.5EG 7.5✓ Fixed in 2.57.12026-04-10
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. …
- CVE-2026-40074HIGHCVSS 7.5EG 7.5✓ Fixed in 2.57.12026-04-10
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in…
Check whether @sveltejs/kit is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for @sveltejs/kit CVEs against the assets you own.
Start Free Scan →