Skip to content

task(deps): update dependency @sveltejs/kit to v2.49.5 [security] #4257

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

task(deps): update dependency @sveltejs/kit to v2.49.5 [security] #4257

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 15, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
@sveltejs/kit (source) 2.49.42.49.5 age confidence

GitHub Vulnerability Alerts

CVE-2026-22803

Summary

The experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion.

Details

When a form is submitted to a remote function endpoint, the SvelteKit client encodes the data using a custom format, and POSTs it to the endpoint as a request with an application/x-sveltekit-formdata content type.

The first few bytes of the request body encode the length of the data. SvelteKit will attempt to read the request body up until the specified offset, but if the body is not yet available then an array buffer of that size will be created eagerly to accommodate it as it arrives.

An attacker can force this code path by sending a small payload that specifies a large data length, then stalling the connection. The resulting array buffer will be held in memory, potentially causing memory exhaustion.

Impact

  • Vulnerability type: Availability / memory exhaustion (memory amplification).
  • Who is impacted: SvelteKit apps with experimental.remoteFunctions enabled, and that expose a reachable Remote Form endpoint.
  • Attack: an unauthenticated attacker can repeatedly open connections, send only the 8-byte header/prefix (with large data_length), and stall the body to hold large allocations, exhausting memory.

CVE-2025-67647

Summary

Versions of SvelteKit are vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions.

Details

Affected versions from 2.44.0 onwards are vulnerable to DoS if:

  • your app has at least one prerendered route (export const prerender = true)

Affected versions from 2.19.0 onwards are vulnerable to DoS and SSRF if:

  • your app has at least one prerendered route (export const prerender = true)
  • AND you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation

Impact

The DoS causes the running server process to end.

The SSRF allows access to internal services that can be reached without authentication when fetched from SvelteKit's server runtime.

It is also possible to obtain an SXSS via cache poisoning, by forcing a potential CDN to cache an XSS returned by the attacker's server (the latter being able to specify the cache-control of their choice).

Credits

Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.49.5

Compare Source

Patch Changes

  • fix: avoid overriding Vite default base when running Vitest 4 (#​14866)

  • fix: ensure url decoded pathnames are not mistaken as rerouted requests (d9ae9b0)

  • fix: add length checks to remote forms (8ed8155)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Anything related to dependency issues or updates. label Jan 15, 2026
@vercel
Copy link

vercel bot commented Jan 15, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments
Project Deployment Review Updated (UTC)
themes.skeleton.dev Ignored Ignored Jan 19, 2026 3:15pm
www.skeleton.dev Ignored Ignored Preview Jan 19, 2026 3:15pm

Request Review

@changeset-bot
Copy link

changeset-bot bot commented Jan 15, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 8625675

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@renovate renovate bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from de9714e to 66bed35 Compare January 16, 2026 15:46
@renovate renovate bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from 66bed35 to 8625675 Compare January 19, 2026 15:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Anything related to dependency issues or updates.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant