CVE-2025-67647

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-67647

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67647.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-67647

Aliases

GHSA-j62c-4x62-9r35

Published

2026-01-15T18:33:25.295Z

Modified

2026-03-01T02:55:01.747269Z

Severity

8.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:H/SC:L/SI:L/SA:N CVSS Calculator

Summary

SvelteKit Denial of service and possible SSRF when using prerendering

Details

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-248",
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67647.json"
}

References

Affected packages

Git / github.com/sveltejs/kit

Affected ranges

Type: GIT
Repo: https://github.com/sveltejs/kit
Events: Introduced

d6f9beb825034ba239eed2d5e76fcb728fb8369f

Fixed

80ffb53382e397a8fc83e6b63d2675eeabb427bd

Affected versions

@sveltejs/adapter-auto@5.*

@sveltejs/adapter-auto@5.0.0

@sveltejs/adapter-auto@6.*

@sveltejs/adapter-auto@6.0.0

@sveltejs/adapter-auto@6.0.1

@sveltejs/adapter-auto@6.0.2

@sveltejs/adapter-auto@6.1.0

@sveltejs/adapter-auto@6.1.1

@sveltejs/adapter-auto@7.*

@sveltejs/adapter-auto@7.0.0

@sveltejs/adapter-cloudflare-workers@2.*

@sveltejs/adapter-cloudflare-workers@2.9.0

@sveltejs/adapter-cloudflare@5.*

@sveltejs/adapter-cloudflare@5.1.0

@sveltejs/adapter-cloudflare@6.*

@sveltejs/adapter-cloudflare@6.0.0

@sveltejs/adapter-cloudflare@6.0.1

@sveltejs/adapter-cloudflare@7.*

@sveltejs/adapter-cloudflare@7.0.0

@sveltejs/adapter-cloudflare@7.0.1

@sveltejs/adapter-cloudflare@7.0.2

@sveltejs/adapter-cloudflare@7.0.3

@sveltejs/adapter-cloudflare@7.0.4

@sveltejs/adapter-cloudflare@7.0.5

@sveltejs/adapter-cloudflare@7.1.0

@sveltejs/adapter-cloudflare@7.1.1

@sveltejs/adapter-cloudflare@7.1.2

@sveltejs/adapter-cloudflare@7.1.3

@sveltejs/adapter-cloudflare@7.2.0

@sveltejs/adapter-cloudflare@7.2.1

@sveltejs/adapter-cloudflare@7.2.2

@sveltejs/adapter-cloudflare@7.2.3

@sveltejs/adapter-cloudflare@7.2.4

@sveltejs/adapter-netlify@5.*

@sveltejs/adapter-netlify@5.0.0

@sveltejs/adapter-netlify@5.0.1

@sveltejs/adapter-netlify@5.0.2

@sveltejs/adapter-netlify@5.1.0

@sveltejs/adapter-netlify@5.1.1

@sveltejs/adapter-netlify@5.2.0

@sveltejs/adapter-netlify@5.2.1

@sveltejs/adapter-netlify@5.2.2

@sveltejs/adapter-netlify@5.2.3

@sveltejs/adapter-netlify@5.2.4

@sveltejs/adapter-node@5.*

@sveltejs/adapter-node@5.2.13

@sveltejs/adapter-node@5.2.14

@sveltejs/adapter-node@5.2.15

@sveltejs/adapter-node@5.2.16

@sveltejs/adapter-node@5.3.0

@sveltejs/adapter-node@5.3.1

@sveltejs/adapter-node@5.3.2

@sveltejs/adapter-node@5.3.3

@sveltejs/adapter-node@5.4.0

@sveltejs/adapter-node@5.5.0

@sveltejs/adapter-static@3.*

@sveltejs/adapter-static@3.0.10

@sveltejs/adapter-static@3.0.9

@sveltejs/adapter-vercel@5.*

@sveltejs/adapter-vercel@5.10.0

@sveltejs/adapter-vercel@5.10.1

@sveltejs/adapter-vercel@5.10.2

@sveltejs/adapter-vercel@5.10.3

@sveltejs/adapter-vercel@5.7.0

@sveltejs/adapter-vercel@5.7.1

@sveltejs/adapter-vercel@5.7.2

@sveltejs/adapter-vercel@5.8.0

@sveltejs/adapter-vercel@5.8.1

@sveltejs/adapter-vercel@5.8.2

@sveltejs/adapter-vercel@5.9.0

@sveltejs/adapter-vercel@5.9.1

@sveltejs/adapter-vercel@6.*

@sveltejs/adapter-vercel@6.0.0

@sveltejs/adapter-vercel@6.1.0

@sveltejs/adapter-vercel@6.1.1

@sveltejs/adapter-vercel@6.1.2

@sveltejs/adapter-vercel@6.2.0

@sveltejs/adapter-vercel@6.3.0

@sveltejs/amp@1.*

@sveltejs/amp@1.1.5

@sveltejs/enhanced-img@0.*

@sveltejs/enhanced-img@0.5.0

@sveltejs/enhanced-img@0.5.1

@sveltejs/enhanced-img@0.6.0

@sveltejs/enhanced-img@0.6.1

@sveltejs/enhanced-img@0.7.0

@sveltejs/enhanced-img@0.7.1

@sveltejs/enhanced-img@0.8.0

@sveltejs/enhanced-img@0.8.1

@sveltejs/enhanced-img@0.8.2

@sveltejs/enhanced-img@0.8.3

@sveltejs/enhanced-img@0.8.4

@sveltejs/enhanced-img@0.8.5

@sveltejs/enhanced-img@0.9.0

@sveltejs/enhanced-img@0.9.1

@sveltejs/enhanced-img@0.9.2

@sveltejs/kit@2.*

@sveltejs/kit@2.19.0

@sveltejs/kit@2.19.1

@sveltejs/kit@2.19.2

@sveltejs/kit@2.20.0

@sveltejs/kit@2.20.1

@sveltejs/kit@2.20.2

@sveltejs/kit@2.20.3

@sveltejs/kit@2.20.4

@sveltejs/kit@2.20.5

@sveltejs/kit@2.20.6

@sveltejs/kit@2.20.7

@sveltejs/kit@2.20.8

@sveltejs/kit@2.21.0

@sveltejs/kit@2.21.1

@sveltejs/kit@2.21.2

@sveltejs/kit@2.21.3

@sveltejs/kit@2.21.4

@sveltejs/kit@2.21.5

@sveltejs/kit@2.22.0

@sveltejs/kit@2.22.1

@sveltejs/kit@2.22.2

@sveltejs/kit@2.22.3

@sveltejs/kit@2.22.4

@sveltejs/kit@2.22.5

@sveltejs/kit@2.23.0

@sveltejs/kit@2.24.0

@sveltejs/kit@2.25.0

@sveltejs/kit@2.25.1

@sveltejs/kit@2.25.2

@sveltejs/kit@2.26.0

@sveltejs/kit@2.26.1

@sveltejs/kit@2.27.0

@sveltejs/kit@2.27.1

@sveltejs/kit@2.27.2

@sveltejs/kit@2.27.3

@sveltejs/kit@2.28.0

@sveltejs/kit@2.29.0

@sveltejs/kit@2.29.1

@sveltejs/kit@2.30.0

@sveltejs/kit@2.30.1

@sveltejs/kit@2.31.0

@sveltejs/kit@2.31.1

@sveltejs/kit@2.32.0

@sveltejs/kit@2.33.0

@sveltejs/kit@2.33.1

@sveltejs/kit@2.34.0

@sveltejs/kit@2.34.1

@sveltejs/kit@2.35.0

@sveltejs/kit@2.36.0

@sveltejs/kit@2.36.1

@sveltejs/kit@2.36.2

@sveltejs/kit@2.36.3

@sveltejs/kit@2.37.0

@sveltejs/kit@2.37.1

@sveltejs/kit@2.38.0

@sveltejs/kit@2.38.1

@sveltejs/kit@2.39.0

@sveltejs/kit@2.39.1

@sveltejs/kit@2.40.0

@sveltejs/kit@2.41.0

@sveltejs/kit@2.42.0

@sveltejs/kit@2.42.1

@sveltejs/kit@2.42.2

@sveltejs/kit@2.43.0

@sveltejs/kit@2.43.1

@sveltejs/kit@2.43.2

@sveltejs/kit@2.43.3

@sveltejs/kit@2.43.4

@sveltejs/kit@2.43.5

@sveltejs/kit@2.43.6

@sveltejs/kit@2.43.7

@sveltejs/kit@2.43.8

@sveltejs/kit@2.44.0

@sveltejs/kit@2.45.0

@sveltejs/kit@2.46.0

@sveltejs/kit@2.46.1

@sveltejs/kit@2.46.2

@sveltejs/kit@2.46.3

@sveltejs/kit@2.46.4

@sveltejs/kit@2.46.5

@sveltejs/kit@2.47.0

@sveltejs/kit@2.47.1

@sveltejs/kit@2.47.2

@sveltejs/kit@2.47.3

@sveltejs/kit@2.48.0

@sveltejs/kit@2.48.1

@sveltejs/kit@2.48.2

@sveltejs/kit@2.48.3

@sveltejs/kit@2.48.4

@sveltejs/kit@2.48.5

@sveltejs/kit@2.48.6

@sveltejs/kit@2.48.7

@sveltejs/kit@2.48.8

@sveltejs/kit@2.49.0

@sveltejs/kit@2.49.1

@sveltejs/kit@2.49.2

@sveltejs/kit@2.49.3

@sveltejs/kit@2.49.4

@sveltejs/package@2.*

@sveltejs/package@2.3.11

@sveltejs/package@2.3.12

@sveltejs/package@2.4.0

@sveltejs/package@2.4.1

@sveltejs/package@2.5.0

@sveltejs/package@2.5.1

@sveltejs/package@2.5.2

@sveltejs/package@2.5.3

@sveltejs/package@2.5.4

@sveltejs/package@2.5.5

@sveltejs/package@2.5.6

@sveltejs/package@2.5.7

create-svelte@7.*

create-svelte@7.0.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67647.json"