CVE-2025-67647

CRITICAL
2026-01-15 [email protected] GHSA-j62c-4x62-9r35
9.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch Released
Jan 21, 2026 - 20:37 nvd
Patch available
CVE Published
Jan 15, 2026 - 19:16 nvd
CRITICAL 9.1

Tags

Denial Of Service Kit Adapter Node

Description

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5.

Analysis

SvelteKit 2.19.0-2.49.4 has SSRF/DoS affecting applications with prerendered routes. Can be exploited to make the server perform arbitrary requests or become unresponsive. Patch available.

Technical Context

Improper exception handling (CWE-248) in prerendered route processing enables SSRF and DoS.

Affected Products

SvelteKit 2.19.0-2.49.4 (DoS), 2.44.0-2.49.4 (SSRF+DoS)

Remediation

Update to SvelteKit 2.49.5 or later.

Priority Score

46
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +46
POC: 0

Share

CVE-2025-67647 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy