In SvelteKit 2 sending a GET request with a body eg {}
to a SvelteKit app in preview or with adapter-node
throws Request with GET/HEAD method cannot have body.
and crashes the app.
node:internal/deps/undici/undici:6066
throw new TypeError("Request with GET/HEAD method cannot have body.");
^
TypeError: Request with GET/HEAD method cannot have body.
at new Request (node:internal/deps/undici/undici:6066:17)
at getRequest (file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/node/index.js:107:9)
at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:181:26
at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:172:6
at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:211:27
at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
Node.js v20.11.0
TRACE
requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected.
<!--
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer. -->
<!-- Complete instructions, including specific configuration details, to reproduce the vulnerability. --> First do a fresh install of SvelteKit 2 with the example app. Typescript.
npm run build
npm run preview
<!-- What kind of vulnerability is it? Who is impacted? -->
Denial of Service for apps using adapter-node
{ "github_reviewed_at": "2024-01-24T14:22:22Z", "cwe_ids": [ "CWE-20" ], "nvd_published_at": "2024-01-24T17:15:08Z", "severity": "HIGH", "github_reviewed": true }