Kit
CVE-2026-22803
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 npm packages depend on @sveltejs/kit (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.49.0.
DescriptionGitHub Advisory
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5.
AnalysisAI
SvelteKit versions 2.49.0 through 2.49.4 are vulnerable to denial-of-service attacks through the experimental form remote function, which fails to properly validate binary-encoded form payloads and can be exploited to exhaust server memory. An unauthenticated remote attacker can craft a malicious payload to trigger excessive memory allocation, rendering affected applications unavailable. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | SvelteKit versions 2.49.0 to 2.49.4 with experimental form remote function enabled. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker could exploit this vulnerability to compromise the affected system. |
| Remediation | A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 7 days: Identify all affected systems and apply vendor patches promptly. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
SvelteKit 2.19.0-2.49.4 has SSRF/DoS affecting applications with prerendered routes. Can be exploited to make the server
Request body size limit bypass in SvelteKit adapter-node allows unauthenticated attackers to submit oversized payloads,
SvelteKit versions prior to 2.57.1 are vulnerable to denial of service when the redirect() function is called from the h
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-j2f3-wq62-6q46