CVE-2025-67647
EUVD-2026-279115.01.2026, 19:16
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| svelte | adapter-node | 5.4.1 ≤ 𝑥 < 5.5.1 |
| svelte | kit | 2.19.0 ≤ 𝑥 < 2.49.5 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-248 - Uncaught ExceptionAn exception is thrown from a function, but it is not caught.
- CWE-918 - Server-Side Request Forgery (SSRF)The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.