CVE-2023-29003

Name of the Vulnerable Software and Affected Versions SvelteKit versions prior to 1.15.1

Description The SvelteKit framework provides out-of-the-box cross-site request forgery (CSRF) protection. However, prior to version 1.15.1, this protection can be bypassed by specifying a different Content-Type header value, such as text/plain. This allows malicious requests to be submitted from third-party domains, potentially leading to execution of operations within the context of the victim's session and unauthorized access to users' accounts.

Recommendations For SvelteKit versions prior to 1.15.1, update to version 1.15.1 or later to resolve the issue. As a temporary workaround, consider restricting access to API endpoints that handle sensitive operations until the update is applied. Additionally, users who have implemented a ? method= override feature in their handle hook should ensure that their implementation properly validates and handles requests with PUT, PATCH, and DELETE methods.