CVE-2023-29008

Name of the Vulnerable Software and Affected Versions SvelteKit versions prior to 1.15.2

Description The SvelteKit framework provides out-of-the-box cross-site request forgery (CSRF) protection. However, this protection can be bypassed in versions prior to 1.15.2 by specifying an upper-cased Content-Type header value. This allows malicious requests to be submitted from third-party domains, potentially leading to unauthorized access to users' accounts. The issue can be exploited in certain scenarios, such as when the target site sets SameSite=None on its auth cookie and the user visits a malicious site in a Chromium-based browser, or when the target site doesn't set the SameSite attribute explicitly and the user visits a malicious site with Firefox/Safari with tracking protections turned off.

Recommendations For versions prior to 1.15.2, update to SvelteKit 1.15.2 to patch the issue. Additionally, explicitly set SameSite to a value other than None on authentication cookies, especially if the upgrade cannot be done in a timely manner.