CVE-2024-23641

24.01.2024, 17:15

SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this happens, one must manually restart the app. `TRACE` requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. `@sveltejs/adapter-node` versions 2.1.2, 3.0.3, and 4.0.1 and `@sveltejs/kit` version 2.4.3 contain a patch for this issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 49%

Vendor	Product	Version
svelte	adapter-node	2.0.0 ≤ 𝑥 < 2.1.2
svelte	adapter-node	3.0.0 ≤ 𝑥 < 3.0.3
svelte	adapter-node	4.0.0
svelte	kit	2.0.0 ≤ 𝑥 < 2.4.3

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9

https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49

https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9

https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49