GHSA-g5m6-hxpp-fc49

Source

https://github.com/advisories/GHSA-g5m6-hxpp-fc49

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-g5m6-hxpp-fc49/GHSA-g5m6-hxpp-fc49.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g5m6-hxpp-fc49

Aliases

CVE-2024-23641

Related

CVE-2024-23641

Published

2024-01-24T14:22:22Z

Modified

2024-01-24T19:13:36Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Sending a GET or HEAD request with a body crashes SvelteKit

Details

Summary

In SvelteKit 2 sending a GET request with a body eg {} to a SvelteKit app in preview or with adapter-node throws Request with GET/HEAD method cannot have body. and crashes the app.

node:internal/deps/undici/undici:6066
          throw new TypeError("Request with GET/HEAD method cannot have body.");
                ^

TypeError: Request with GET/HEAD method cannot have body.
    at new Request (node:internal/deps/undici/undici:6066:17)
    at getRequest (file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/node/index.js:107:9)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:181:26
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
    at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:172:6
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
    at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:211:27
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)

Node.js v20.11.0

TRACE requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected.

<!--

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer. -->

PoC

First do a fresh install of SvelteKit 2 with the example app. Typescript.

npm run build
npm run preview
Go to http://localhost:4173 (works)
curl -X GET -d "{}" http://localhost:4173/bye
Application crashes and http://localhost:4173 is down

Impact

Denial of Service for apps using adapter-node

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-24T14:22:22Z",
    "nvd_published_at": "2024-01-24T17:15:08Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "HIGH"
}

References