OsVault/npm/@sveltejs/kit
npm

@sveltejs/kit

10 known vulnerabilities · 0 critical · 2 high

GHSA-vrhm-gvg7-fpcf

Memory exhaustion in SvelteKit remote form deserialization (experimental only)

Published Feb 19, 2026
CVE-2023-29008HIGH

SvelteKit framework has Insufficient CSRF protection for CORS requests

Published Apr 7, 2023
GHSA-2crg-3p73-43xp

@sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass

Published Apr 10, 2026
GHSA-3f6h-2hrp-w5wx

@sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service

Published Apr 10, 2026
GHSA-88qp-p4qg-rqm6

CPU exhaustion in SvelteKit remote form deserialization (experimental only)

Published Feb 19, 2026
CVE-2023-29003HIGH

SvelteKit vulnerable to Cross-Site Request Forgery

Published Apr 4, 2023
CVE-2025-67647

SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering

Published Jan 15, 2026
GHSA-fpg4-jhqr-589c

SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only)

Published Feb 28, 2026
CVE-2026-22803

@sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sveltekit-formdata)

Published Jan 15, 2026
GHSA-hgv7-v322-mmgr

@sveltejs/kit: `query.batch` cross-talk

Published May 21, 2026
Check your entire dependency tree at onceRun dependency scan →