DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-HGV7-V322-MMGR: GHSA-HGV7-V322-MMGR: SSR Session Cross-Talk and Data Exposure in SvelteKit query.batch

#security #cve #cybersecurity #ghsa

GHSA-HGV7-V322-MMGR: SSR Session Cross-Talk and Data Exposure in SvelteKit query.batch

Vulnerability ID: GHSA-HGV7-V322-MMGR
CVSS Score: 8.6
Published: 2026-05-21

The SvelteKit framework contains a critical cross-talk vulnerability within its server-side rendering (SSR) processing logic. The query.batch functionality improperly scopes state variables during concurrent request handling, allowing data intended for one user session to be exposed to another. The issue is resolved in version 2.60.1 by migrating the batching state to a strictly isolated request store.

TL;DR

A state isolation failure in SvelteKit's query.batch allows concurrent remote requests to intermingle, exposing sensitive session data across users. Upgrading to version 2.60.1 implements AsyncLocalStorage to properly isolate request contexts and mitigate the vulnerability.

Technical Details

  • CWE ID: CWE-488 (Exposure of Data Element to Wrong Session)
  • Attack Vector: Network
  • CVSS Score: 8.1 - 9.1 (Estimated)
  • Impact: Sensitive Information Disclosure / Session Cross-Talk
  • Exploit Status: No public weaponized exploits; theoretical race condition
  • Affected Component: query.batch in SvelteKit SSR

Affected Systems

  • @sveltejs/kit (SvelteKit framework)
  • @sveltejs/kit: < 2.60.1 (Fixed in: 2.60.1)

Code Analysis

Commit: dadaefc

Fix batching state leakage across requests by utilizing get_request_store() and state.remote.batches

Mitigation Strategies

  • Upgrade the SvelteKit framework package to version 2.60.1 or greater.
  • Refactor application code to avoid usage of query.batch if immediate patching is impossible.
  • Audit application logs for suspicious bursts of concurrent requests targeting SSR batched endpoints.

Remediation Steps:

  1. Identify all projects relying on @sveltejs/kit within the organization.
  2. Update the package.json file to specify @sveltejs/kit version 2.60.1.
  3. Run package manager install commands (npm install, yarn, pnpm install) to update lockfiles.
  4. Execute automated integration and regression tests to verify SSR and data-fetching functionality.
  5. Deploy the updated application build to staging and production environments.

References

Read the full report for GHSA-HGV7-V322-MMGR on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)