CVE-2025-67647

Name of the Vulnerable Software and Affected Versions SvelteKit versions 2.19.0 through 2.49.4

Description SvelteKit is susceptible to server side request forgery (SSRF) and denial of service (DoS) under specific conditions. The framework, downloaded over 800,000 times per week, is affected in versions from 2.44.0 onwards, resulting in a DoS if the application has at least one prerendered route (using export const prerender = true). Versions from 2.19.0 through 2.49.4 are vulnerable to both DoS and SSRF when utilizing adapter-node without a configured ORIGIN environment variable, and without a reverse proxy that implements Host header validation. The DoS can cause the server process to terminate. The SSRF allows access to internal services without authentication when fetched from SvelteKit’s server runtime. It is also possible to obtain an SXSS via cache poisoning.

Recommendations Update to SvelteKit version 2.49.5 or later. For versions 2.19.0 through 2.49.4, ensure the ORIGIN environment variable is configured when using adapter-node. For versions 2.19.0 through 2.49.4, implement Host header validation in a reverse proxy. For versions 2.44.0 through 2.49.4, avoid using prerendered routes (export const prerender = true) if possible.