GHSA-vrhm-gvg7-fpcf

Source

https://github.com/advisories/GHSA-vrhm-gvg7-fpcf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-vrhm-gvg7-fpcf/GHSA-vrhm-gvg7-fpcf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vrhm-gvg7-fpcf

Published

2026-02-19T20:29:42Z

Modified

2026-02-22T23:25:49.392878Z

Severity

4.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Memory exhaustion in SvelteKit remote form deserialization (experimental only)

Details

Versions of @sveltejs/kit prior to 2.52.2 with remote functions enabled can be vulnerable to memory exhaustion. Malformed form data can cause the server process to crash due to excessive memory allocation, resulting in denial of service.

Only applications using both experimental.remoteFunctions and form are vulnerable.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-770"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-19T20:29:42Z"
}

References

Affected packages

npm / @sveltejs/kit

Package

Name: @sveltejs/kit; View open source insights on deps.dev
Purl: pkg:npm/%40sveltejs/kit

Affected ranges

Type: SEMVER
Events: Introduced

2.49.0

Fixed

2.52.2

Database specific

last_known_affected_version_range

"<= 2.52.1"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-vrhm-gvg7-fpcf/GHSA-vrhm-gvg7-fpcf.json"