CVE-2024-23641

Name of the Vulnerable Software and Affected Versions @Sveltejs/adapter-node versions prior to 2.1.2, 3.0.3, and 4.0.1 @Sveltejs/kit versions prior to 2.4.3

Description The issue occurs when sending a GET request with a body, for example {}, to a built and previewed/hosted SvelteKit app, which throws a Request with GET/HEAD method cannot have body. error and crashes the app. TRACE requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected.

Recommendations For @Sveltejs/adapter-node versions prior to 2.1.2, 3.0.3, and 4.0.1, update to version 2.1.2, 3.0.3, or 4.0.1 to resolve the issue. For @Sveltejs/kit versions prior to 2.4.3, update to version 2.4.3 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoint until a patch is available. Avoid using the GET method with a body in the affected API endpoint until the issue is resolved.