pkg:npm/@sveltejs/kit

All known vulnerabilities

• HIGH8.8CVE-2023-29008SvelteKit framework has Insufficient CSRF protection for CORS requests
  from 0, < 1.15.2
• HIGH8.8CVE-2023-29003SvelteKit vulnerable to Cross-Site Request Forgery
  from 0, < 1.15.1
• HIGH7.5CVE-2024-23641Sending a GET or HEAD request with a body crashes SvelteKit
  >= 2.0.0, < 2.4.3
• MEDIUM5.4CVE-2025-32388@sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params
  >= 2.0.0, < 2.20.6
• MEDIUM4.2CVE-2024-53262@sveltejs/kit has unescaped error message included on error page
  from 0, < 2.8.3
• NONE0.0CVE-2024-53261@sveltejs/kit vulnerable to XSS on dev mode 404 page
  from 0, < 2.8.3
• —CVE-2026-40074@sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service
  from 0, < 2.57.1
• —CVE-2026-40073@sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass
  from 0, < 2.57.1
• —CVE-2026-22803@sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sveltekit-formdata)
  >= 2.49.0, < 2.49.5
• —CVE-2025-67647SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering
  >= 2.19.0, < 2.49.5