DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-VRHM-GVG7-FPCF: SvelteKit Remote Functions: Death by Type Coercion

#security #cve #cybersecurity #ghsa

SvelteKit Remote Functions: Death by Type Coercion

Vulnerability ID: GHSA-VRHM-GVG7-FPCF
CVSS Score: 7.5
Published: 2026-02-19

A denial-of-service vulnerability in SvelteKit's experimental 'remote functions' feature allows attackers to crash the server via memory exhaustion. By manipulating a JSON-encoded 'file offset table' within a custom binary form payload, an attacker can trigger JavaScript type coercion that expands a small payload into gigabytes of string data, overwhelming the Node.js heap.

TL;DR

SvelteKit's experimental remote functions feature trusts user-supplied JSON for file offsets. Attackers can send nested arrays instead of numbers, triggering JavaScript type coercion that expands a 1MB payload into ~15GB of memory usage, crashing the server immediately.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-770 (Allocation of Resources Without Limits)
  • Attack Vector: Network (POST Request)
  • CVSS: 7.5 (High)
  • Impact: Denial of Service (Memory Exhaustion)
  • Affected Component: form-utils.js (deserialize_binary_form)
  • Exploit Status: Proof of Concept Available

Affected Systems

  • SvelteKit applications with remote functions enabled
  • Node.js servers hosting vulnerable SvelteKit versions
  • @sveltejs/kit: >= 2.49.0, <= 2.52.1 (Fixed in: 2.52.2)

Code Analysis

Commit: f47c01b

fix: validate file offsets

const parsed_offsets = JSON.parse(text_decoder.decode(file_offsets_buffer));
if (!Array.isArray(parsed_offsets) || parsed_offsets.some((n) => typeof n !== 'number' ...)) throw ...
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Disable experimental remote functions if not required.
  • Implement WAF rules to inspect application/x-svelte-binary-form payloads for nested JSON arrays.
  • Deploy process monitoring to auto-restart Node.js services upon OOM crashes.

Remediation Steps:

  1. Check your package.json for @sveltejs/kit.
  2. Run npm install @sveltejs/kit@2.52.2 or yarn upgrade @sveltejs/kit.
  3. Verify the version with npm list @sveltejs/kit.
  4. Restart the application server.

References

Read the full report for GHSA-VRHM-GVG7-FPCF on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)