GHSA-j62c-4x62-9r35
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j62c-4x62-9r35
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-j62c-4x62-9r35/GHSA-j62c-4x62-9r35.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-j62c-4x62-9r35
- Aliases
- Published
- 2026-01-15T18:09:59Z
- Modified
- 2026-02-03T03:17:53.517839Z
- Severity
-
- 8.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:H/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering
- Details
-
Summary
Versions of SvelteKit are vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions.
Details
Affected versions from 2.44.0 onwards are vulnerable to DoS if:
- your app has at least one prerendered route (
export const prerender = true)
Affected versions from 2.19.0 onwards are vulnerable to DoS and SSRF if:
- your app has at least one prerendered route (
export const prerender = true) - AND you are using
adapter-nodewithout a configuredORIGINenvironment variable, and you are not using a reverse proxy that implements Host header validation
Impact
The DoS causes the running server process to end.
The SSRF allows access to internal services that can be reached without authentication when fetched from SvelteKit's server runtime.
It is also possible to obtain an SXSS via cache poisoning, by forcing a potential CDN to cache an XSS returned by the attacker's server (the latter being able to specify the cache-control of their choice).
Credits
- your app has at least one prerendered route (
- Database specific
{ "nvd_published_at": "2026-01-15T19:16:03Z", "github_reviewed_at": "2026-01-15T18:09:59Z", "github_reviewed": true, "severity": "HIGH", "cwe_ids": [ "CWE-248", "CWE-400", "CWE-918" ] }- References
-
- https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4x62-9r35
- https://nvd.nist.gov/vuln/detail/CVE-2025-67647
- https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226
- https://github.com/sveltejs/kit
- https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fadapter-node%405.5.1
- https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.49.5
Affected packages
npm / @sveltejs/kit
Package
- Name
- @sveltejs/kit
- View open source insights on deps.dev
- Purl
- pkg:npm/%40sveltejs/kit
npm / @sveltejs/adapter-node
Package
- Name
- @sveltejs/adapter-node
- View open source insights on deps.dev
- Purl
- pkg:npm/%40sveltejs/adapter-node