chore(deps): update dependency @sveltejs/kit to v2.60.1 [security]#399
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency @sveltejs/kit to v2.60.1 [security]#399renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
renovate
Bot
force-pushed
the
renovate/npm-sveltejs-kit-vulnerability
branch
from
27e69f4 to
b0303bc
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-sveltejs-kit-vulnerability
branch
from
b0303bc to
c3daeb2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.49.1→2.60.1@sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sveltekit-formdata)
CVE-2026-22803 / GHSA-j2f3-wq62-6q46
More information
Details
Summary
The experimental
formremote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion.Details
When a form is submitted to a remote function endpoint, the SvelteKit client encodes the data using a custom format, and POSTs it to the endpoint as a request with an
application/x-sveltekit-formdatacontent type.The first few bytes of the request body encode the length of the data. SvelteKit will attempt to read the request body up until the specified offset, but if the body is not yet available then an array buffer of that size will be created eagerly to accommodate it as it arrives.
An attacker can force this code path by sending a small payload that specifies a large data length, then stalling the connection. The resulting array buffer will be held in memory, potentially causing memory exhaustion.
Impact
experimental.remoteFunctionsenabled, and that expose a reachable Remote Form endpoint.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering
CVE-2025-67647 / GHSA-j62c-4x62-9r35
More information
Details
Summary
Versions of SvelteKit are vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions.
Details
Affected versions from 2.44.0 onwards are vulnerable to DoS if:
export const prerender = true)Affected versions from 2.19.0 onwards are vulnerable to DoS and SSRF if:
export const prerender = true)adapter-nodewithout a configuredORIGINenvironment variable, and you are not using a reverse proxy that implements Host header validationImpact
The DoS causes the running server process to end.
The SSRF allows access to internal services that can be reached without authentication when fetched from SvelteKit's server runtime.
It is also possible to obtain an SXSS via cache poisoning, by forcing a potential CDN to cache an XSS returned by the attacker's server (the latter being able to specify the cache-control of their choice).
Credits
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:H/SC:L/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
CPU exhaustion in SvelteKit remote form deserialization (experimental only)
GHSA-88qp-p4qg-rqm6
More information
Details
Versions of
@sveltejs/kitprior to 2.52.2 with remote functions enabled are vulnerable to CPU exhaustion. Malformed form data can cause the server to become unresponsive while processing a request, resulting in denial of service.Only applications using both
experimental.remoteFunctionsandformare vulnerable.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
@sveltejs/kit:
query.batchcross-talkGHSA-hgv7-v322-mmgr
More information
Details
query.batch()could, under very rare and specific timings, cause concurrent requests from different users to merge and resolve under single request context, enabling cross-user data disclosure.Severity
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
sveltejs/kit (@sveltejs/kit)
v2.60.1Compare Source
Patch Changes
chore: bump
svelteanddevalue(#15836)fix: prevent
query.batchcross-talk (dadaefc)v2.60.0Compare Source
Minor Changes
feat: allow 'submit' and 'hidden' form fields to accept numbers and booleans (#15802)
feat: warn on unread
formremote function validation issues (#15653)Patch Changes
fix: abort navigation after async rendering if obsolete (#15811)
fix: skip refreshing queries on full-page reload form submissions (#15803)
v2.59.1Compare Source
Patch Changes
v2.59.0Compare Source
Minor Changes
feat: support
query.batchinrequested(...)(#15751)breaking: on the server, make the promise returned from
refreshrepresent adding the refresh to the map, not the time it takes to run the remote function (#15705)feat: experimental
query.livefunction (#15705)Patch Changes
fix: unwrap
PromiseinRemoteCommandoutput type (#15771)fix: empty call to
.updates()on a command/form invocation means "don't update anything" (#15705)fix:
form.fields.foo.as('checkbox', default_value)now works (#15752)fix: remote forms with default values defined by
field.as('text', defaultValue)now correctly reset to the provided default values once submitted (#15753)fix: make sure queries always get started correctly (#15705)
fix: allow plain functions as overrides in
updates(#15705)v2.58.0Compare Source
Minor Changes
breaking: require
limitinrequested(as originally intended) (#15739)feat:
RemoteQueryFunctiongains an optional third generic parameterValidated(defaulting toInput) that represents the argument type after schema validation/transformation (#15739)breaking:
requestednow yields{ arg, query }entries instead of the validated argument (#15739)Patch Changes
fix: allow
query().current,.error,.loading, and.readyto work in non-reactive contexts (#15699)fix: prevent
deep_setcrash on nullish nested values (#15600)fix: restore correct
RemoteFormFieldstyping for nullable array fields (e.g. when a schema uses.default([])), so.as('checkbox')and friends work again (#15723)fix: don't warn about removed SSI comments in
transformPageChunk(#15695)Server-side include (SSI) directives like
<!--#include virtual="..." -->are HTML comments that are replaced by servers such as nginx. Previously, removing them intransformPageChunkwould trigger a false positive warning about breaking Svelte's hydration. Since SSI comments always start with<!--#and Svelte's hydration comments never do, they can be safely excluded from the check.Change enhance function return type from void to MaybePromise. (#15710)
fix: throw an error when
resolveis called with an external URL (#15733)fix: avoid FOUC for CSR-only pages by loading styles and fonts before CSR starts (#15718)
fix: reset form result on redirect (#15724)
v2.57.1Compare Source
Patch Changes
fix: better validation for
redirectinputs (10d7b44)fix: enforce
BODY_SIZE_LIMITon chunked requests (3202ed6)fix: use default values as fallbacks (#15680)
fix: relax form typings for union types (#15687)
v2.57.0Compare Source
Minor Changes
submitto indicate submission validity for enhancedformremote functions (#15530)Patch Changes
fix: use array type for select fields that accept multiple values (#15591)
fix: silently 404 Chrome DevTools workspaces request in dev and preview (#15656)
fix:
config.kit.csp.directives['trusted-types']requires'svelte-trusted-html'(and'sveltekit-trusted-url'when a service worker is automatically registered) if it is configured (#15323)fix: avoid inlineDynamicImports ignored with codeSplitting warning when using Vite 8 (#15647)
fix: reimplement treeshaking non-dynamic prerendered remote functions (#15447)
v2.56.1Compare Source
Patch Changes
v2.56.0Compare Source
Minor Changes
breaking: rework client-driven refreshes (#15562)
breaking: stabilize remote function caching by sorting object keys (#15570)
breaking: add
run()method to queries, disallow awaiting queries outside render (#15533)feat: support TypeScript 6.0 (#15595)
breaking: isolate command-triggered query refresh failures per-query (#15562)
feat: use
hydratablefor remote function transport (#15533)feat: allow
formfields to specify a default value (field.as(type, value)) (#15577)Patch Changes
fix: don't request new data when
.refreshis called on a query with no cache entry (#15533)fix: allow using multiple remote functions within one async derived (#15561)
fix: avoid false-positive overridden Vite
basesetting warning when setting apaths.baseinsvelte.config.js(#15623)fix: manage queries in their own
$effect.root(#15533)fix: avoid
inlineDynamicImportsdeprecation warning when building the service worker with Vite 8 (#15550)fix: correctly escape backticks when precomputing CSS (#15593)
fix: discard obsolete forks before finishing navigation (#15634)
chore: tighten up override implementation (#15562)
fix: ensure the default Svelte 5
error.sveltefile uses runes mode (#15609)fix: deduplicate same-cache-key
batchcalls during SSR (#15533)fix: decrement pending_count when form callback doesn't call submit() (#15520)
v2.55.0Compare Source
Minor Changes
$app/types, leading to better type safety when working with params in$app/types,$app/state, and hooks. (#15502)v2.54.0Compare Source
Minor Changes
Patch Changes
chore: upgrade
devalue(#15535)fix: don't wait for remote functions that are not awaited in the template (#15280)
feat: allow
resolve()to accept pathnames with a search string and/or hash (#15458)chore: remove deprecation warnings for
config.kit.files.*options when validating the Svelte config file (#15482)fix: handles form target attribute in remote form redirects (#15457)
v2.53.4Compare Source
Patch Changes
codeSplittingoption (#15451)v2.53.3Compare Source
Patch Changes
form(faba869)v2.53.2Compare Source
Patch Changes
fix: server-render nested form value sets (#15378)
fix: use deep partial types for form remote functions
.value()and.set(...)(#14837)fix: provide correct url info to remote functions (#15418)
fix: allow optional types for remote query/command/prerender functions (#15293)
fix: allow commands in more places (#15288)
v2.53.1Compare Source
Patch Changes
inlineDynamicImportswhen using Vite 8 (#15403)v2.53.0Compare Source
Minor Changes
Patch Changes
fix: remove event listeners on form attachment cleanup (#15286)
fix: apply queries refreshed in a form remote function when a redirect is thrown (#15362)
v2.52.2Compare Source
Patch Changes
fix: validate
formfile information to prevent amplification attacks (3e607b3)chore: upgrade
devalueandsvelte(#15339)fix: parse file offset table more strictly (
f47c01b)v2.52.0Compare Source
Minor Changes
matchfunction to map a path back to a route id and params (#14997)Patch Changes
fix: respect scroll-margin when navigating to a url-supplied anchor (#15246)
fix:
resolvewill narrow types to follow trailing slash page settings (#15027)v2.51.0Compare Source
Minor Changes
feat: add
scrollproperty toNavigationTargetin navigation callbacks (#15248)Navigation callbacks (
beforeNavigate,onNavigate, andafterNavigate) now include scroll position information via thescrollproperty onfromandtotargets:from.scroll: The scroll position at the moment navigation was triggeredto.scroll: InbeforeNavigateandonNavigate, this is populated forpopstatenavigations (back/forward) with the scroll position that will be restored, andnullfor other navigation types. InafterNavigate, this is always the final scroll position after navigation completed.This enables use cases like animating transitions based on the target scroll position when using browser back/forward navigation.
feat:
hydratable's injected script now works with CSP (#15048)Patch Changes
fix: put preloads before styles (#15232)
fix: suppress false-positive inner content warning when children prop is forwarded to a child component (#15269)
fix:
fetchnot working when URL is same host but different thanpaths.base(#15291)fix: navigate to hash link when base element is present (#15236)
fix: avoid triggering
handleErrorwhen redirecting in a remote function (#15222)fix: include
testdirectory in generatedtsconfig.jsonalongside existingtestsentry (#15254)fix: generate
tsconfig.jsonusing the value ofkit.files.src(#15253)v2.50.2Compare Source
Patch Changes
fix: ensure inlined CSS follows
paths.assetsandpaths.relativesettings (#15153)fix: emit script CSP nonces when
unsafe-inlineis present ifstrict-dynamicis also present (#15221)fix: re-export browser/dev from esm-env (#15206)
fix: use validated args in batch resolver in both csr and ssr (#15215)
fix: ensure CSS inlining includes components that are conditionally rendered (#15153)
fix: only match rest params with matchers when the matcher matches (#15216)
fix: properly handle percent-encoded anchors (e.g.
<a href="#sparkles-%E2%9C%A8">) during prerendering. (#15231)v2.50.1Compare Source
Patch Changes
fix: include
hooks.serverandhooks.universalas explicit Vite build inputs to ensure assets imported by hooks files are correctly discovered (#15178)fix: improves fields type for generic components (#14974)
fix: preload links if href changes (#15191)
v2.50.0Compare Source
Minor Changes
buttonPropsfrom experimental remote form functions; use e.g.<button {...myForm.fields.action.as('submit', 'register')}>Register</button>button instead (#15144)v2.49.5Compare Source
Patch Changes
fix: avoid overriding Vite default
basewhen running Vitest 4 (#14866)fix: ensure url decoded pathnames are not mistaken as rerouted requests (
d9ae9b0)fix: add length checks to remote forms (
8ed8155)v2.49.4Compare Source
Patch Changes
fix: support instrumentation for
vite preview(#15105)fix: support for
URLSearchParams.has(name, value)overload (#15076)fix: put forking behind
experimental.forkPreloads(#15135)v2.49.3Compare Source
Patch Changes
fix: avoid false-positive Vite config overridden warning when using Vitest 4 (#15121)
fix: add
typescriptas an optional peer dependency (#15074)fix: use hasOwn check when deep-setting object properties (#15127)
v2.49.2Compare Source
Patch Changes
fix: Stop re-loading already-loaded CSS during server-side route resolution (#15014)
fix: posixify the instrumentation file import on Windows (#14993)
fix: Correctly handle shared memory when decoding binary form data (#15028)
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.