DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-FPG4-JHQR-589C: SvelteKit Binary Form Logical Expansion Denial of Service

#security #cve #cybersecurity #ghsa

SvelteKit Binary Form Logical Expansion Denial of Service

Vulnerability ID: GHSA-FPG4-JHQR-589C
CVSS Score: 7.5
Published: 2026-02-28

A resource exhaustion vulnerability exists in SvelteKit's experimental binary form handling mechanism. The deserialization logic for remote functions fails to validate that file metadata entries correspond to unique, non-overlapping byte ranges in the request body. This allows an attacker to craft a small HTTP request that expands into a massive logical payload when processed, consuming excessive server memory and CPU cycles.

TL;DR

SvelteKit versions prior to the fix contain a Denial of Service vulnerability in the experimental deserialize_binary_form function. Attackers can map thousands of file objects to a single byte range, causing logical amplification and resource exhaustion.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-770
  • Attack Vector: Network
  • CVSS Score: 7.5 (High)
  • Impact: Denial of Service
  • Exploit Status: Proof of Concept Available
  • Platform: Node.js / SvelteKit

Affected Systems

  • SvelteKit applications using experimental remote functions
  • Node.js environments running @sveltejs/kit
  • @sveltejs/kit: < 2.x (patched version) (Fixed in: See Release Notes)

Code Analysis

Commit: faba869

fix: disallow overlapping/duplicate file ranges in binary form data

NA
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Patch includes regression test demonstrating the attack vector

Mitigation Strategies

  • Update @sveltejs/kit to the latest patched version.
  • Block traffic with Content-Type: application/x-sveltekit-binary-form if not required.
  • Implement strict request body size limits at the ingress level.

Remediation Steps:

  1. Check current version: npm list @sveltejs/kit
  2. Update package: npm update @sveltejs/kit or pnpm update @sveltejs/kit
  3. Verify the installed version corresponds to a release after Feb 26, 2025.
  4. Restart the application service.

References

Read the full report for GHSA-FPG4-JHQR-589C on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)