CVE-2026-22803

Name of the Vulnerable Software and Affected Versions SvelteKit versions 2.49.0 through 2.49.4

Description SvelteKit’s experimental form remote function utilizes a binary data format for submitted form data. A crafted payload can trigger excessive memory allocation on the server, leading to a denial of service through memory exhaustion. The issue arises because SvelteKit attempts to read the request body based on a length specified in the initial bytes of the request. An attacker can exploit this by sending a small payload with a large specified data length and then stalling the connection. This forces the creation of a large array buffer, potentially exhausting available memory. The vulnerability impacts SvelteKit applications with the experimental.remoteFunctions feature enabled and exposes a reachable Remote Form endpoint. An unauthenticated attacker can repeatedly open connections, send a minimal header with a large data length, and stall the body to trigger large memory allocations.

Recommendations Update to SvelteKit version 2.49.5 or later.